Analysis
-
max time kernel
108s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 20:52
Static task
static1
General
-
Target
ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf.exe
-
Size
563KB
-
MD5
154d8d4c1df48f6b9d7a97b59bb52247
-
SHA1
5d8471ed459cc6eeb10a189a5681aede54b4a6fc
-
SHA256
ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf
-
SHA512
c89f8c6f2801026f7bf62e6ff3d5ff41a9ab4249f8a04cafc3618db22abcf8c7b9b05c1f296b559ad346cc3f5aa2f13c367e27a520ca3c6213fd23090ada86c2
-
SSDEEP
12288:ry90CgrwngwUpwBiPlhIH2oGCeiLKsPxlbpLb:ryVgrwgwU6EPnO2RILKkxltLb
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it614491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it614491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it614491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it614491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it614491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it614491.exe -
Executes dropped EXE 4 IoCs
pid Process 4400 zias9918.exe 2796 it614491.exe 1732 kp269243.exe 4304 lr364654.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it614491.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zias9918.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zias9918.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1772 1732 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2796 it614491.exe 2796 it614491.exe 1732 kp269243.exe 1732 kp269243.exe 4304 lr364654.exe 4304 lr364654.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2796 it614491.exe Token: SeDebugPrivilege 1732 kp269243.exe Token: SeDebugPrivilege 4304 lr364654.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 748 wrote to memory of 4400 748 ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf.exe 86 PID 748 wrote to memory of 4400 748 ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf.exe 86 PID 748 wrote to memory of 4400 748 ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf.exe 86 PID 4400 wrote to memory of 2796 4400 zias9918.exe 87 PID 4400 wrote to memory of 2796 4400 zias9918.exe 87 PID 4400 wrote to memory of 1732 4400 zias9918.exe 92 PID 4400 wrote to memory of 1732 4400 zias9918.exe 92 PID 4400 wrote to memory of 1732 4400 zias9918.exe 92 PID 748 wrote to memory of 4304 748 ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf.exe 98 PID 748 wrote to memory of 4304 748 ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf.exe 98 PID 748 wrote to memory of 4304 748 ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf.exe"C:\Users\Admin\AppData\Local\Temp\ebbf8c60e1ea750432f60c4796cfaefeb266df383d76b6a6bdbebf54447d42bf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zias9918.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zias9918.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it614491.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it614491.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp269243.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp269243.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 13404⤵
- Program crash
PID:1772
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr364654.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr364654.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1732 -ip 17321⤵PID:4192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
409KB
MD55e9494b6d1cdeb4abe3267781b82f9f5
SHA18593d71a310a6d1c852f646679653b8be875b548
SHA2562a19ea10360eab27facba56e97ac3489cbcaef4f5fe0bbd0fd69659698a4047c
SHA512a6559fd5262f9dc290e98097513bc1b3a25c5d57b8384f13ce73a298cfa16f634c0a5de804c06b2c0ecfcd96b4f671d3df3433de692f0168f67695dc5ab993b1
-
Filesize
409KB
MD55e9494b6d1cdeb4abe3267781b82f9f5
SHA18593d71a310a6d1c852f646679653b8be875b548
SHA2562a19ea10360eab27facba56e97ac3489cbcaef4f5fe0bbd0fd69659698a4047c
SHA512a6559fd5262f9dc290e98097513bc1b3a25c5d57b8384f13ce73a298cfa16f634c0a5de804c06b2c0ecfcd96b4f671d3df3433de692f0168f67695dc5ab993b1
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD56d5ed9697befd5397b7f98347b3ce97a
SHA1a43331378e3414e814cdb15aa51d9fdfe0ad3d69
SHA25643b4c0fe522c0808a58b6c080165aee6e7481ead3f3ee26d1d5befd6aa6bf1b9
SHA512326a4d75cbc8ac259c31c8edccfb5f31c462b50746fabc11e04955b46c634cf8c20b73dd9aa069ca28f07c88042a4fa228f2c413e74d094cfa9ec9db44ee5edb
-
Filesize
361KB
MD56d5ed9697befd5397b7f98347b3ce97a
SHA1a43331378e3414e814cdb15aa51d9fdfe0ad3d69
SHA25643b4c0fe522c0808a58b6c080165aee6e7481ead3f3ee26d1d5befd6aa6bf1b9
SHA512326a4d75cbc8ac259c31c8edccfb5f31c462b50746fabc11e04955b46c634cf8c20b73dd9aa069ca28f07c88042a4fa228f2c413e74d094cfa9ec9db44ee5edb