Analysis
-
max time kernel
85s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 20:49
Static task
static1
General
-
Target
2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b.exe
-
Size
563KB
-
MD5
637cb972aaf29d9a049593cf3d501729
-
SHA1
c1d70dca288ff6efd9c46685366e4173e8cfa18b
-
SHA256
2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b
-
SHA512
cba9c5be1c3560e1c22ad9c614f188bdd347fe05313e1af2a6420d717c15f0b9618ceaee541463e1bc8e20c74e333af0a77bb7055558e6005da85dcea9ab21b8
-
SSDEEP
12288:xy90slLTnE44S/3ok3QT7hOH2EmCei6KkWG22u8Jvxsu:xy5f4S/4TTF82VI6K02bsJsu
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it055745.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it055745.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it055745.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it055745.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it055745.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it055745.exe -
Executes dropped EXE 4 IoCs
pid Process 1636 ziHK5647.exe 1196 it055745.exe 3760 kp526052.exe 4724 lr983588.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it055745.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziHK5647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziHK5647.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4336 3760 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1196 it055745.exe 1196 it055745.exe 3760 kp526052.exe 3760 kp526052.exe 4724 lr983588.exe 4724 lr983588.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1196 it055745.exe Token: SeDebugPrivilege 3760 kp526052.exe Token: SeDebugPrivilege 4724 lr983588.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3980 wrote to memory of 1636 3980 2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b.exe 84 PID 3980 wrote to memory of 1636 3980 2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b.exe 84 PID 3980 wrote to memory of 1636 3980 2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b.exe 84 PID 1636 wrote to memory of 1196 1636 ziHK5647.exe 85 PID 1636 wrote to memory of 1196 1636 ziHK5647.exe 85 PID 1636 wrote to memory of 3760 1636 ziHK5647.exe 90 PID 1636 wrote to memory of 3760 1636 ziHK5647.exe 90 PID 1636 wrote to memory of 3760 1636 ziHK5647.exe 90 PID 3980 wrote to memory of 4724 3980 2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b.exe 96 PID 3980 wrote to memory of 4724 3980 2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b.exe 96 PID 3980 wrote to memory of 4724 3980 2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b.exe"C:\Users\Admin\AppData\Local\Temp\2180ce08ea1f660d3151c66f3c8f5f2624472731be2d5b8b2d6607cb8f6eeb7b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHK5647.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHK5647.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it055745.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it055745.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp526052.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp526052.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 13244⤵
- Program crash
PID:4336
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr983588.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr983588.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3760 -ip 37601⤵PID:1916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
409KB
MD5ff5d4747a4e0cde348504b27a398bb00
SHA1c41bc288a70e1edf20f25bab5a845f19e895047a
SHA256f4a221033c3e42db8525684c67ed19a152dae1aa0240015a9bead86bc91832b2
SHA51261753f8c9901a1b9c2d2654d2f50bb15d70b78dd926cd91afbd4b271f43fc64d606128deccdf3121f8303f8cb61300087e3043aa686bfde6412793a04175915b
-
Filesize
409KB
MD5ff5d4747a4e0cde348504b27a398bb00
SHA1c41bc288a70e1edf20f25bab5a845f19e895047a
SHA256f4a221033c3e42db8525684c67ed19a152dae1aa0240015a9bead86bc91832b2
SHA51261753f8c9901a1b9c2d2654d2f50bb15d70b78dd926cd91afbd4b271f43fc64d606128deccdf3121f8303f8cb61300087e3043aa686bfde6412793a04175915b
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD5de34462be13b630398a3744a65b4a578
SHA19c7ab7b968a15aa99fb166cbeeacc8ab37aeeffc
SHA256ea9a648f567ef51c846340dd09387c60752b7486b9eef53040d6aa7cd4f0d3d3
SHA51266fb43a9734425c715db0748462409dbbb614915c57de98b47c52e55f51e2f922126d661d51ebce07abf0140c4605a933b7fbb4c367fbfac1f1cf345dae0c35f
-
Filesize
361KB
MD5de34462be13b630398a3744a65b4a578
SHA19c7ab7b968a15aa99fb166cbeeacc8ab37aeeffc
SHA256ea9a648f567ef51c846340dd09387c60752b7486b9eef53040d6aa7cd4f0d3d3
SHA51266fb43a9734425c715db0748462409dbbb614915c57de98b47c52e55f51e2f922126d661d51ebce07abf0140c4605a933b7fbb4c367fbfac1f1cf345dae0c35f