Analysis
-
max time kernel
99s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 20:48
Static task
static1
General
-
Target
8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762.exe
-
Size
703KB
-
MD5
1a832a37cb13df5a7427beb97ecda29a
-
SHA1
0bf128d481dad6f6c982db6411d0b4168848ebf7
-
SHA256
8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762
-
SHA512
f7bc98559e0d136e7387bdf8de2ec7f51b3e9e7f69e6ec67765ae359258f29d8a3a7c58a7de7cc9a135ff2d48865d8560fa59bfadf8ab77d39bba365f20e7920
-
SSDEEP
12288:6y90FRYc0EDon2G4rGhLWh8/4ffcENI3FjB7EcMWCIipKSwYGz2X/+5YEoz:6yARYc0EDmYrGhSG/ONI19Ycp+pKJH4N
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr988185.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr988185.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr988185.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr988185.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr988185.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr988185.exe -
Executes dropped EXE 4 IoCs
pid Process 2640 un931437.exe 1648 pr988185.exe 1468 qu941560.exe 2812 si770675.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr988185.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr988185.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un931437.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un931437.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4088 1648 WerFault.exe 86 380 1468 WerFault.exe 95 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1648 pr988185.exe 1648 pr988185.exe 1468 qu941560.exe 1468 qu941560.exe 2812 si770675.exe 2812 si770675.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1648 pr988185.exe Token: SeDebugPrivilege 1468 qu941560.exe Token: SeDebugPrivilege 2812 si770675.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4640 wrote to memory of 2640 4640 8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762.exe 85 PID 4640 wrote to memory of 2640 4640 8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762.exe 85 PID 4640 wrote to memory of 2640 4640 8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762.exe 85 PID 2640 wrote to memory of 1648 2640 un931437.exe 86 PID 2640 wrote to memory of 1648 2640 un931437.exe 86 PID 2640 wrote to memory of 1648 2640 un931437.exe 86 PID 2640 wrote to memory of 1468 2640 un931437.exe 95 PID 2640 wrote to memory of 1468 2640 un931437.exe 95 PID 2640 wrote to memory of 1468 2640 un931437.exe 95 PID 4640 wrote to memory of 2812 4640 8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762.exe 99 PID 4640 wrote to memory of 2812 4640 8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762.exe 99 PID 4640 wrote to memory of 2812 4640 8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762.exe"C:\Users\Admin\AppData\Local\Temp\8a6b2112ba926ca59067a90130b8b4965cd1f538d57e0de87bc2ea14ef83a762.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un931437.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un931437.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr988185.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr988185.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 10804⤵
- Program crash
PID:4088
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu941560.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu941560.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 20724⤵
- Program crash
PID:380
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si770675.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si770675.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1648 -ip 16481⤵PID:1980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1468 -ip 14681⤵PID:1048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
549KB
MD5e60de9a5dc2f4e685217877e6697f47f
SHA15476d42d47b649b60692d5c58afef25262895651
SHA25684e76f870ca4a9055201c21a68ff5b7a2be57a37e5a4bc07c257c19c648784be
SHA51221aa53bb7cddc0497fcc9f2fe3ba9cb2b5b3071f2b835a6e6b674d216b214b005822ada1bbbeae3ab2439efa6a33e02974c4a64bf9028a5a89bf463ea8152327
-
Filesize
549KB
MD5e60de9a5dc2f4e685217877e6697f47f
SHA15476d42d47b649b60692d5c58afef25262895651
SHA25684e76f870ca4a9055201c21a68ff5b7a2be57a37e5a4bc07c257c19c648784be
SHA51221aa53bb7cddc0497fcc9f2fe3ba9cb2b5b3071f2b835a6e6b674d216b214b005822ada1bbbeae3ab2439efa6a33e02974c4a64bf9028a5a89bf463ea8152327
-
Filesize
277KB
MD56867a0ca024e78f52bb04d4ba1068af7
SHA10f4d84439740cc83df68a73464dde652163bb9ce
SHA256334db03a7a025a5790ce96a5be6a8977792dc224e0abffc6aa1cdea622ec7cfa
SHA512f33278d0344b869a2975acf739a2de07299202d291af8159afedda4c2fc543bfbe862e6cd57ecbcb794e6ef7bd0c68c7438540eb65f129886ffe0aca2b79c41f
-
Filesize
277KB
MD56867a0ca024e78f52bb04d4ba1068af7
SHA10f4d84439740cc83df68a73464dde652163bb9ce
SHA256334db03a7a025a5790ce96a5be6a8977792dc224e0abffc6aa1cdea622ec7cfa
SHA512f33278d0344b869a2975acf739a2de07299202d291af8159afedda4c2fc543bfbe862e6cd57ecbcb794e6ef7bd0c68c7438540eb65f129886ffe0aca2b79c41f
-
Filesize
361KB
MD5c3b409166afd8993c3d9c99f94ce4e5b
SHA1f9990a9b10066bd66a060909f8b25629e0b09e6b
SHA256fcba92a6a78e748d3a36519f51c83b16bb28faae1f8934c7e6a4030bddfd73da
SHA512a213a508eb4ef2d3868df1d14652301c89cf9bf9f80e90f224b24c328ed4bb2b7bafa95b343dbf060dfe031739f9689eeeff88d769758d8bb0382e039348c7db
-
Filesize
361KB
MD5c3b409166afd8993c3d9c99f94ce4e5b
SHA1f9990a9b10066bd66a060909f8b25629e0b09e6b
SHA256fcba92a6a78e748d3a36519f51c83b16bb28faae1f8934c7e6a4030bddfd73da
SHA512a213a508eb4ef2d3868df1d14652301c89cf9bf9f80e90f224b24c328ed4bb2b7bafa95b343dbf060dfe031739f9689eeeff88d769758d8bb0382e039348c7db