Analysis
-
max time kernel
51s -
max time network
73s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 20:52
Static task
static1
General
-
Target
ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e.exe
-
Size
704KB
-
MD5
c6ca8ec3bb39805bfc3601d0f5b3328a
-
SHA1
db23bc501cd5290d1b7d1f17d2cca4d26a2e7e0e
-
SHA256
ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e
-
SHA512
3d33224f1c90726c7d5971d396ab51ef37de915b0adba8fb9d721b1994a9e22fd2c1fb3ec27b667bc6d5bb0e48c2a7c509f2938514f876ffbdd8a8feeecac1b2
-
SSDEEP
12288:Ry90+TY33RH6RyCs9bNePo917uprs95TMWCJixKs3W+:RyDTY3kR+pQQ1ipobTpLxKsm+
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr918855.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr918855.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr918855.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr918855.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr918855.exe -
Executes dropped EXE 4 IoCs
pid Process 4156 un656661.exe 996 pr918855.exe 4316 qu769959.exe 4268 si830909.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr918855.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr918855.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un656661.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un656661.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 996 pr918855.exe 996 pr918855.exe 4316 qu769959.exe 4316 qu769959.exe 4268 si830909.exe 4268 si830909.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 996 pr918855.exe Token: SeDebugPrivilege 4316 qu769959.exe Token: SeDebugPrivilege 4268 si830909.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4212 wrote to memory of 4156 4212 ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e.exe 66 PID 4212 wrote to memory of 4156 4212 ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e.exe 66 PID 4212 wrote to memory of 4156 4212 ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e.exe 66 PID 4156 wrote to memory of 996 4156 un656661.exe 67 PID 4156 wrote to memory of 996 4156 un656661.exe 67 PID 4156 wrote to memory of 996 4156 un656661.exe 67 PID 4156 wrote to memory of 4316 4156 un656661.exe 68 PID 4156 wrote to memory of 4316 4156 un656661.exe 68 PID 4156 wrote to memory of 4316 4156 un656661.exe 68 PID 4212 wrote to memory of 4268 4212 ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e.exe 70 PID 4212 wrote to memory of 4268 4212 ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e.exe 70 PID 4212 wrote to memory of 4268 4212 ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e.exe"C:\Users\Admin\AppData\Local\Temp\ef9526fdf77446da567515da0f606a4874dbdf45a3c44d2844a134cee226981e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un656661.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un656661.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr918855.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr918855.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu769959.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu769959.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si830909.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si830909.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
550KB
MD5b3a69bbc223ea62a97e840a0e4078cff
SHA1e92560830e17033c9f2a3debb34a72a33431db7d
SHA256d632fa4a986de53a7a012f21954db03124419cd9df7b1a5adfb592d73dc4b3d0
SHA5122bb254a9bdcabb0f441b8f457606599b51a6926b2687f2bfec434bba59d18fe906c2a8e1848ea55d38dd34980ccb37004fce45a32c2dbc72cab2dd9c630037e8
-
Filesize
550KB
MD5b3a69bbc223ea62a97e840a0e4078cff
SHA1e92560830e17033c9f2a3debb34a72a33431db7d
SHA256d632fa4a986de53a7a012f21954db03124419cd9df7b1a5adfb592d73dc4b3d0
SHA5122bb254a9bdcabb0f441b8f457606599b51a6926b2687f2bfec434bba59d18fe906c2a8e1848ea55d38dd34980ccb37004fce45a32c2dbc72cab2dd9c630037e8
-
Filesize
277KB
MD50cae890b2c7aec28740233403d63d43b
SHA11babab3039016b0ee19585ea1072e0b63bbbd573
SHA2568f5db7b549c26272915c7821619d17f27ad3ad63f8d62c5ba3dede541efdb682
SHA5123fb0b7e72c5cb24d97f3eed4536a5e5d760968bd1b559c536abac20cc1dd7330f2f451ebeb5f0a7639f1a84e1c10ded40c73a4f7b75b2dd4b034f32f3605b2ec
-
Filesize
277KB
MD50cae890b2c7aec28740233403d63d43b
SHA11babab3039016b0ee19585ea1072e0b63bbbd573
SHA2568f5db7b549c26272915c7821619d17f27ad3ad63f8d62c5ba3dede541efdb682
SHA5123fb0b7e72c5cb24d97f3eed4536a5e5d760968bd1b559c536abac20cc1dd7330f2f451ebeb5f0a7639f1a84e1c10ded40c73a4f7b75b2dd4b034f32f3605b2ec
-
Filesize
361KB
MD57f5c57362666e93d930873339dc8ca70
SHA1707ad482192cd1b0436d808a0588575cc10fd75c
SHA25600f6d0f42d700d4f13ab4fdad546e6fce38909bf7660e98b4663d0871ff2486b
SHA51250802b3fdb5bd6b949344370817671d52d75205cd693325623ed9d4f60f25bba881c418e7954497da191cf2d2045ae950d66f0e6a3997d23994de4eb81329da6
-
Filesize
361KB
MD57f5c57362666e93d930873339dc8ca70
SHA1707ad482192cd1b0436d808a0588575cc10fd75c
SHA25600f6d0f42d700d4f13ab4fdad546e6fce38909bf7660e98b4663d0871ff2486b
SHA51250802b3fdb5bd6b949344370817671d52d75205cd693325623ed9d4f60f25bba881c418e7954497da191cf2d2045ae950d66f0e6a3997d23994de4eb81329da6