Analysis
-
max time kernel
114s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 23:56
Static task
static1
General
-
Target
bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe
-
Size
737KB
-
MD5
04019b30bd51085b1e9b4ba47e469049
-
SHA1
b13e9290ae2e839da7232fab28a9ecf685f5e479
-
SHA256
bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8
-
SHA512
996d02e2f1236456758d22e0ec6b69c4b05f6c17dae244a13aa5d63d4c9797e2d80acb096fb49394fac97bbf27ac701d19b208e2e6b704f01b10771e731e2e79
-
SSDEEP
12288:fy90EqokgexlmqLszb9T5O+oQIFNK8ntAXW5DI17zC0xIznWPYImhT:fyhwP3mqLq5cdFA8+WAn9xIjaYIaT
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr419578.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr419578.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr419578.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr419578.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr419578.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr419578.exe -
Executes dropped EXE 4 IoCs
pid Process 1356 un751405.exe 3692 18845640.exe 988 pr419578.exe 1740 qu279112.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr419578.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr419578.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un751405.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un751405.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3352 988 WerFault.exe 93 3728 1740 WerFault.exe 99 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3692 18845640.exe 3692 18845640.exe 988 pr419578.exe 988 pr419578.exe 1740 qu279112.exe 1740 qu279112.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3692 18845640.exe Token: SeDebugPrivilege 988 pr419578.exe Token: SeDebugPrivilege 1740 qu279112.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1784 wrote to memory of 1356 1784 bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe 88 PID 1784 wrote to memory of 1356 1784 bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe 88 PID 1784 wrote to memory of 1356 1784 bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe 88 PID 1356 wrote to memory of 3692 1356 un751405.exe 89 PID 1356 wrote to memory of 3692 1356 un751405.exe 89 PID 1356 wrote to memory of 3692 1356 un751405.exe 89 PID 1356 wrote to memory of 988 1356 un751405.exe 93 PID 1356 wrote to memory of 988 1356 un751405.exe 93 PID 1356 wrote to memory of 988 1356 un751405.exe 93 PID 1784 wrote to memory of 1740 1784 bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe 99 PID 1784 wrote to memory of 1740 1784 bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe 99 PID 1784 wrote to memory of 1740 1784 bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe"C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 10884⤵
- Program crash
PID:3352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 19563⤵
- Program crash
PID:3728
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 988 -ip 9881⤵PID:5100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1740 -ip 17401⤵PID:4048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
361KB
MD5d6c93a35e3df5f1c7142e88e67e5557e
SHA15cdab3d894ce6d6966603de2fde1be9bae438593
SHA2566ee570e0738a36142496c6b27dd66f8986b413961da7093f82d095fe636759a8
SHA512370e757a3d92dbd60d1bdd2b0d67b7bd8f27d16addc9d465864c2857bcb804de911f89e6c2ed8bf21916ff296acd318f6a2d227d56f8b9e45d3a80f8affeb3ef
-
Filesize
361KB
MD5d6c93a35e3df5f1c7142e88e67e5557e
SHA15cdab3d894ce6d6966603de2fde1be9bae438593
SHA2566ee570e0738a36142496c6b27dd66f8986b413961da7093f82d095fe636759a8
SHA512370e757a3d92dbd60d1bdd2b0d67b7bd8f27d16addc9d465864c2857bcb804de911f89e6c2ed8bf21916ff296acd318f6a2d227d56f8b9e45d3a80f8affeb3ef
-
Filesize
380KB
MD52de59ca0f50cbc460923e6626754b8ee
SHA14e217d61ef0975ce359aa9ec461429b5e8e4d71d
SHA2567e5896cebbebf4fd6df21cead501486c2cd925e9c1a3983e61fe17a6d8e2367a
SHA5127af3a7ffd41837a4c368f7ccd4bb02ea2db1ad1cc3d971bcf693cef3d6ca56046f47fc7209bfe675ead6793cdfd628d8b1464e074e0cb06b4b0fa4c3c446744f
-
Filesize
380KB
MD52de59ca0f50cbc460923e6626754b8ee
SHA14e217d61ef0975ce359aa9ec461429b5e8e4d71d
SHA2567e5896cebbebf4fd6df21cead501486c2cd925e9c1a3983e61fe17a6d8e2367a
SHA5127af3a7ffd41837a4c368f7ccd4bb02ea2db1ad1cc3d971bcf693cef3d6ca56046f47fc7209bfe675ead6793cdfd628d8b1464e074e0cb06b4b0fa4c3c446744f
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
136KB
MD5ace73b2b1f835de11594ea9a243a9f5c
SHA12f929d1f69784fbe499a95b064679a16947bdd84
SHA2567310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e
-
Filesize
278KB
MD545421b5d132aa2e4d872fb2a5998ceae
SHA17fffcb816537a873d1c1b3a0f7eea721320c8e10
SHA256be18081f0f5777fdfec0e79812241f55a660e8619ce307c01327ffe23273f544
SHA512bdf382544fbe301fbd08ebf46b97e531d23bd38bc48e118da1ef9aafd97d54576c1e94129b3efca3740c601d787446f82dfe3fa8cfad496a7b4a1ee5ca6a577d
-
Filesize
278KB
MD545421b5d132aa2e4d872fb2a5998ceae
SHA17fffcb816537a873d1c1b3a0f7eea721320c8e10
SHA256be18081f0f5777fdfec0e79812241f55a660e8619ce307c01327ffe23273f544
SHA512bdf382544fbe301fbd08ebf46b97e531d23bd38bc48e118da1ef9aafd97d54576c1e94129b3efca3740c601d787446f82dfe3fa8cfad496a7b4a1ee5ca6a577d