Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 11:36
Static task
static1
General
-
Target
ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49.exe
-
Size
705KB
-
MD5
4be6b4ada7a029153694891b0a5a0cdf
-
SHA1
1b9fb012efbff0f52c07388f0cb9fcbcf147e6ae
-
SHA256
ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49
-
SHA512
55a5ef9b7f95f6df2fd5c58655a11bbca960679e3335145b53447dd80788b0767cc6d64da98a67da749544c96f2962ac10ad61cd6e51d78b8ff3fc0006a18e9a
-
SSDEEP
12288:ty909eQyQhVMo3TJb9+HT0YjL8gNaitdg2ZoyzPXIHwD3EOd+3B:tygyeio3TJbIHT0WI4fZey0Hrx
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr571946.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr571946.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr571946.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr571946.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr571946.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr571946.exe -
Executes dropped EXE 4 IoCs
pid Process 2148 un699674.exe 4300 pr571946.exe 3804 qu253502.exe 1536 si862961.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr571946.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr571946.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un699674.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un699674.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1624 4300 WerFault.exe 82 720 3804 WerFault.exe 85 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4300 pr571946.exe 4300 pr571946.exe 3804 qu253502.exe 3804 qu253502.exe 1536 si862961.exe 1536 si862961.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4300 pr571946.exe Token: SeDebugPrivilege 3804 qu253502.exe Token: SeDebugPrivilege 1536 si862961.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2148 2924 ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49.exe 81 PID 2924 wrote to memory of 2148 2924 ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49.exe 81 PID 2924 wrote to memory of 2148 2924 ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49.exe 81 PID 2148 wrote to memory of 4300 2148 un699674.exe 82 PID 2148 wrote to memory of 4300 2148 un699674.exe 82 PID 2148 wrote to memory of 4300 2148 un699674.exe 82 PID 2148 wrote to memory of 3804 2148 un699674.exe 85 PID 2148 wrote to memory of 3804 2148 un699674.exe 85 PID 2148 wrote to memory of 3804 2148 un699674.exe 85 PID 2924 wrote to memory of 1536 2924 ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49.exe 88 PID 2924 wrote to memory of 1536 2924 ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49.exe 88 PID 2924 wrote to memory of 1536 2924 ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49.exe"C:\Users\Admin\AppData\Local\Temp\ec22b1e1f1afd6fdcd2dfe6c4ff888bfce39b7b6a1ae514902e4667f54043c49.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un699674.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un699674.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr571946.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr571946.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 11044⤵
- Program crash
PID:1624
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu253502.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu253502.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 13164⤵
- Program crash
PID:720
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si862961.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si862961.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4300 -ip 43001⤵PID:2968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3804 -ip 38041⤵PID:4924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
551KB
MD5a56a685f65c5243f6b48f20f5c9f76d9
SHA1ca896f209aaf30bfc7b7efca88819a36e02be90a
SHA2566e2c9240554d99cb515d18f6b1f6b64efb253dffddb0dc6c341769d4615d01b6
SHA512e112eb8af1b81791480c084e0fc8cfbb6a8bcb1a3d24e8451b12a79917da7305887c5c4b4f2fbf49b90e876c85f6d4d26874bd930b607ba077025966ae62fcaa
-
Filesize
551KB
MD5a56a685f65c5243f6b48f20f5c9f76d9
SHA1ca896f209aaf30bfc7b7efca88819a36e02be90a
SHA2566e2c9240554d99cb515d18f6b1f6b64efb253dffddb0dc6c341769d4615d01b6
SHA512e112eb8af1b81791480c084e0fc8cfbb6a8bcb1a3d24e8451b12a79917da7305887c5c4b4f2fbf49b90e876c85f6d4d26874bd930b607ba077025966ae62fcaa
-
Filesize
286KB
MD5ab57822baa0f6b9c19b6e64b279509e2
SHA1d5da6b925dcebf583c7c24ea612000a4375244e3
SHA25680606103406c3ac37dae614b27468e2877aea4b8d0f821677cb49f00b432fcaa
SHA5127716473db004db554ffa2c3a3dd15a7ffb886f31fb93a8eea48a2de95b173cebfb12597e8183619a71a8259e358d579292b0bd636aa0dd9a5e86f458097b707e
-
Filesize
286KB
MD5ab57822baa0f6b9c19b6e64b279509e2
SHA1d5da6b925dcebf583c7c24ea612000a4375244e3
SHA25680606103406c3ac37dae614b27468e2877aea4b8d0f821677cb49f00b432fcaa
SHA5127716473db004db554ffa2c3a3dd15a7ffb886f31fb93a8eea48a2de95b173cebfb12597e8183619a71a8259e358d579292b0bd636aa0dd9a5e86f458097b707e
-
Filesize
369KB
MD58756a55ff1d5e2e548cdc45772d3f916
SHA185a5aa4f0bb4912866aaa5df7d9881cadd4711c8
SHA2563959834becba5fdb7403e71f41f74f23929205c6519d91897893b93e2c021017
SHA512fbc39d03eca37967ce670dcbbe6555226b539ae147a9298cd0c27e6c884d0d94a8b0e77623238af17c223df21cfe07f30ebb670bd6e1b154d459278efcca321e
-
Filesize
369KB
MD58756a55ff1d5e2e548cdc45772d3f916
SHA185a5aa4f0bb4912866aaa5df7d9881cadd4711c8
SHA2563959834becba5fdb7403e71f41f74f23929205c6519d91897893b93e2c021017
SHA512fbc39d03eca37967ce670dcbbe6555226b539ae147a9298cd0c27e6c884d0d94a8b0e77623238af17c223df21cfe07f30ebb670bd6e1b154d459278efcca321e