Analysis
-
max time kernel
62s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 20:51
Static task
static1
General
-
Target
9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b.exe
-
Size
704KB
-
MD5
66cc91aabecdd4925dde8ed3f4d7efdf
-
SHA1
f7760f0446f6fe56806862cca01a99d8c1ec804b
-
SHA256
9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b
-
SHA512
5e5eae486eb3ae97a8aaa79b6c749f7b326319db2eba8529bf09788a5db5bac309cf56ef79ae9e47493c11005ab7a65d354fe2dd110dc08dcee5024da726b801
-
SSDEEP
12288:Jy90VI72VjdIwX9Nc3yh8y/QI7AtlsATWmusTyMWC9i6KzIg/+oZkt:Jy54+wXKyGy/cW52ypH6KzB/+oZI
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr970728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr970728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr970728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr970728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr970728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr970728.exe -
Executes dropped EXE 4 IoCs
pid Process 2492 un201907.exe 4928 pr970728.exe 2296 qu754039.exe 676 si147243.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr970728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr970728.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un201907.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un201907.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 980 4928 WerFault.exe 85 980 2296 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4928 pr970728.exe 4928 pr970728.exe 2296 qu754039.exe 2296 qu754039.exe 676 si147243.exe 676 si147243.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4928 pr970728.exe Token: SeDebugPrivilege 2296 qu754039.exe Token: SeDebugPrivilege 676 si147243.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4124 wrote to memory of 2492 4124 9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b.exe 84 PID 4124 wrote to memory of 2492 4124 9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b.exe 84 PID 4124 wrote to memory of 2492 4124 9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b.exe 84 PID 2492 wrote to memory of 4928 2492 un201907.exe 85 PID 2492 wrote to memory of 4928 2492 un201907.exe 85 PID 2492 wrote to memory of 4928 2492 un201907.exe 85 PID 2492 wrote to memory of 2296 2492 un201907.exe 91 PID 2492 wrote to memory of 2296 2492 un201907.exe 91 PID 2492 wrote to memory of 2296 2492 un201907.exe 91 PID 4124 wrote to memory of 676 4124 9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b.exe 94 PID 4124 wrote to memory of 676 4124 9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b.exe 94 PID 4124 wrote to memory of 676 4124 9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b.exe"C:\Users\Admin\AppData\Local\Temp\9575ff93a5faaa41ec0b017897d2966f0cf95339f65f629639f4eddb08f9690b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201907.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201907.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr970728.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr970728.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 10804⤵
- Program crash
PID:980
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu754039.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu754039.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 13204⤵
- Program crash
PID:980
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si147243.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si147243.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4928 -ip 49281⤵PID:452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2296 -ip 22961⤵PID:4884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
550KB
MD59bf02b531b8e8a94a4bc7c7dc424d4c9
SHA15799c10ba3ba1432b7eb9856f0c266318c3e6781
SHA256e3db7e4868b8eb8ae9d319a12e1667a43e25dce2df7850413e280a1097287a2d
SHA512e783c22114c2a17b6ff4f69d46cf93a7aa6da8d88d3867ac2b4a3b6dffb23d6c51161d7615b0b208c2edea40660fcd961d15f2e4307ed9adf89d4f12b4fee84f
-
Filesize
550KB
MD59bf02b531b8e8a94a4bc7c7dc424d4c9
SHA15799c10ba3ba1432b7eb9856f0c266318c3e6781
SHA256e3db7e4868b8eb8ae9d319a12e1667a43e25dce2df7850413e280a1097287a2d
SHA512e783c22114c2a17b6ff4f69d46cf93a7aa6da8d88d3867ac2b4a3b6dffb23d6c51161d7615b0b208c2edea40660fcd961d15f2e4307ed9adf89d4f12b4fee84f
-
Filesize
277KB
MD5abd5300d873397846db3a8c69202ff28
SHA1a5e69106e623ada052ec2fa27347b5c2098370ce
SHA25630e8bc0dcf0fc3a52f9088573783ee0749323f9052d3c55dc42b7e474593953d
SHA5125dd4f8159d6eaa9bd7482c6a20457e976a93c6cae4a3216438b09f16fe9fc6db0f7ecb913b231c65ccdec71c303b0928f12aa1e572f2a9d5e4fb6dda1f4d6115
-
Filesize
277KB
MD5abd5300d873397846db3a8c69202ff28
SHA1a5e69106e623ada052ec2fa27347b5c2098370ce
SHA25630e8bc0dcf0fc3a52f9088573783ee0749323f9052d3c55dc42b7e474593953d
SHA5125dd4f8159d6eaa9bd7482c6a20457e976a93c6cae4a3216438b09f16fe9fc6db0f7ecb913b231c65ccdec71c303b0928f12aa1e572f2a9d5e4fb6dda1f4d6115
-
Filesize
361KB
MD571258edecf6aa640be54d92ff81e4802
SHA1bd164d4a545ca63e612f4bc9fda10c9a384d317b
SHA2562bf282a4d15cb5c8291d93d7d66cd8353b36bfcfd3af5c146b9af98187e928b6
SHA51288bb7246ceb8d6c75461407da28d12cfdc161d7df654f7d1cc0dbe3f7e4e7fa94b954bf3e0102cd62c7366fc0a4e15696aae1b3bead0a406cd8c5b3f62f37f17
-
Filesize
361KB
MD571258edecf6aa640be54d92ff81e4802
SHA1bd164d4a545ca63e612f4bc9fda10c9a384d317b
SHA2562bf282a4d15cb5c8291d93d7d66cd8353b36bfcfd3af5c146b9af98187e928b6
SHA51288bb7246ceb8d6c75461407da28d12cfdc161d7df654f7d1cc0dbe3f7e4e7fa94b954bf3e0102cd62c7366fc0a4e15696aae1b3bead0a406cd8c5b3f62f37f17