Analysis
-
max time kernel
62s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 20:50
Static task
static1
General
-
Target
d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a.exe
-
Size
703KB
-
MD5
811dbc6cbe247e95de53d24fd82a77c1
-
SHA1
1c453d30f445ea628178faa4c6ac1c19785a8ef5
-
SHA256
d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a
-
SHA512
688dec9543e1fd92200e8b4eefc3c7abe44e9c31633b7bdb72d03cf29126248aaea1064b54defaaf955b5078a1d8a7e4aa1f43eaa1e2eecb3692bb7a898ba05d
-
SSDEEP
12288:Dy90gdDEH5GkoguYZdBMjlI3Pcw4oWI7a2wPpUMWCXi9KoH6i:Dy/DEH51x8lI3POoWI+TBUpx9Kcj
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr793578.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr793578.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr793578.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr793578.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr793578.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr793578.exe -
Executes dropped EXE 4 IoCs
pid Process 4780 un879104.exe 1904 pr793578.exe 4052 qu137750.exe 3852 si605853.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr793578.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr793578.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un879104.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un879104.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4908 1904 WerFault.exe 83 2176 4052 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1904 pr793578.exe 1904 pr793578.exe 4052 qu137750.exe 4052 qu137750.exe 3852 si605853.exe 3852 si605853.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1904 pr793578.exe Token: SeDebugPrivilege 4052 qu137750.exe Token: SeDebugPrivilege 3852 si605853.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2436 wrote to memory of 4780 2436 d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a.exe 82 PID 2436 wrote to memory of 4780 2436 d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a.exe 82 PID 2436 wrote to memory of 4780 2436 d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a.exe 82 PID 4780 wrote to memory of 1904 4780 un879104.exe 83 PID 4780 wrote to memory of 1904 4780 un879104.exe 83 PID 4780 wrote to memory of 1904 4780 un879104.exe 83 PID 4780 wrote to memory of 4052 4780 un879104.exe 92 PID 4780 wrote to memory of 4052 4780 un879104.exe 92 PID 4780 wrote to memory of 4052 4780 un879104.exe 92 PID 2436 wrote to memory of 3852 2436 d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a.exe 96 PID 2436 wrote to memory of 3852 2436 d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a.exe 96 PID 2436 wrote to memory of 3852 2436 d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a.exe"C:\Users\Admin\AppData\Local\Temp\d3581c31be39f700770e3accfe1b1a65a80cfb96f87a09e3f6252567c2339e1a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un879104.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un879104.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793578.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793578.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 10804⤵
- Program crash
PID:4908
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu137750.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu137750.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 13204⤵
- Program crash
PID:2176
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si605853.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si605853.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1904 -ip 19041⤵PID:4588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4052 -ip 40521⤵PID:4652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
549KB
MD5f1dd48a2bbb537b89cbccf841271e61b
SHA1fd7e68bedbe6f743d08e64a937e46c64fa690e23
SHA256a0e89caeac76c3da01e0d4b5104b570f1560b53cbab9fd35c554b1085f0d08ff
SHA5127836c3bbaf21016178c7f4884d374664910e38a245d01e296d889cd2e709361996573e0987534a41fa0cf1f8b91c8112f2117544d157dd941bc3d2f359457371
-
Filesize
549KB
MD5f1dd48a2bbb537b89cbccf841271e61b
SHA1fd7e68bedbe6f743d08e64a937e46c64fa690e23
SHA256a0e89caeac76c3da01e0d4b5104b570f1560b53cbab9fd35c554b1085f0d08ff
SHA5127836c3bbaf21016178c7f4884d374664910e38a245d01e296d889cd2e709361996573e0987534a41fa0cf1f8b91c8112f2117544d157dd941bc3d2f359457371
-
Filesize
277KB
MD52291e857827bd9acbccab089a1b18071
SHA1b1db9aec44b78256754bd87d71b79859f68209af
SHA256e9a631f6229b40f0e485a7fd832e8ee08cbd72a8b87009c4059696b03c1544c0
SHA512fa520e06f4b32f842b39d321b0c9a92f96ecd330534d1f6b698ad3777df4fbe9ed842faafc1e1892580d7220393faa6809f8f71b78b7bc21dd39ece9d42c4e77
-
Filesize
277KB
MD52291e857827bd9acbccab089a1b18071
SHA1b1db9aec44b78256754bd87d71b79859f68209af
SHA256e9a631f6229b40f0e485a7fd832e8ee08cbd72a8b87009c4059696b03c1544c0
SHA512fa520e06f4b32f842b39d321b0c9a92f96ecd330534d1f6b698ad3777df4fbe9ed842faafc1e1892580d7220393faa6809f8f71b78b7bc21dd39ece9d42c4e77
-
Filesize
361KB
MD569f286e66adc9aef41b552bb6f701e7a
SHA1d85ebb6e915e8661712431592f43cf1eb349f937
SHA2569e0c680bae2bdb86190c9c86ba2d86cf475e011b7fd4376373e02c8ad48184fe
SHA51263db0170f3329195f1e251cd8a54281ceb3d555e54b52c35d152e232007a3a03a12141a495b1f2da821b0365dca598b7ea2bcea3750ecb938ac2650cffdd5c52
-
Filesize
361KB
MD569f286e66adc9aef41b552bb6f701e7a
SHA1d85ebb6e915e8661712431592f43cf1eb349f937
SHA2569e0c680bae2bdb86190c9c86ba2d86cf475e011b7fd4376373e02c8ad48184fe
SHA51263db0170f3329195f1e251cd8a54281ceb3d555e54b52c35d152e232007a3a03a12141a495b1f2da821b0365dca598b7ea2bcea3750ecb938ac2650cffdd5c52