Analysis
-
max time kernel
52s -
max time network
64s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 20:54
Static task
static1
General
-
Target
6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab.exe
-
Size
703KB
-
MD5
dcc9bb702be2c3bf7b7401f1e8f1793d
-
SHA1
dd885819a2b0f083fbe470f9c769dc28d4199698
-
SHA256
6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab
-
SHA512
2abf2e38c240cedba107ef61804503a2c6114aa3671add16bb6a8bbbb1a62024f46f705d6171a00403c40e5c764faddb1784dc0ada00e3015fd07b7f68162c47
-
SSDEEP
12288:Py90HBTd/KxFEw3rAuQ1Y4H89DlQI9nCiB/9MWCnixKu+9Tk0NrQb:PyWdy4iRQ1Ya0lQI1xJ9plxKF60i
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr563680.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr563680.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr563680.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr563680.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr563680.exe -
Executes dropped EXE 4 IoCs
pid Process 2680 un928740.exe 3412 pr563680.exe 4720 qu207281.exe 3964 si980837.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr563680.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr563680.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un928740.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un928740.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3412 pr563680.exe 3412 pr563680.exe 4720 qu207281.exe 4720 qu207281.exe 3964 si980837.exe 3964 si980837.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3412 pr563680.exe Token: SeDebugPrivilege 4720 qu207281.exe Token: SeDebugPrivilege 3964 si980837.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1012 wrote to memory of 2680 1012 6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab.exe 66 PID 1012 wrote to memory of 2680 1012 6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab.exe 66 PID 1012 wrote to memory of 2680 1012 6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab.exe 66 PID 2680 wrote to memory of 3412 2680 un928740.exe 67 PID 2680 wrote to memory of 3412 2680 un928740.exe 67 PID 2680 wrote to memory of 3412 2680 un928740.exe 67 PID 2680 wrote to memory of 4720 2680 un928740.exe 68 PID 2680 wrote to memory of 4720 2680 un928740.exe 68 PID 2680 wrote to memory of 4720 2680 un928740.exe 68 PID 1012 wrote to memory of 3964 1012 6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab.exe 70 PID 1012 wrote to memory of 3964 1012 6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab.exe 70 PID 1012 wrote to memory of 3964 1012 6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab.exe"C:\Users\Admin\AppData\Local\Temp\6941dece8298585f8fa25e48b2b34039c67e0b484d5f081ac50c0650250ae6ab.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un928740.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un928740.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr563680.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr563680.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu207281.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu207281.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si980837.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si980837.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
549KB
MD5c9ba7afdef64940b0f2faa2a0f521e74
SHA10f716608761e7c196f11482962e57831745ca242
SHA256d087207ce5c69c21a1971d28ac211cd34c05bd0f2f20a859685acf207ea4b38a
SHA512920c74c7cfdd53ccf61f6e949720a80803319572cc0cd76891a35ba2447175a5ad82ca175af65f53cb4a4c89a4dbc874a74ba5ee63831f5a809aa238cf52fa19
-
Filesize
549KB
MD5c9ba7afdef64940b0f2faa2a0f521e74
SHA10f716608761e7c196f11482962e57831745ca242
SHA256d087207ce5c69c21a1971d28ac211cd34c05bd0f2f20a859685acf207ea4b38a
SHA512920c74c7cfdd53ccf61f6e949720a80803319572cc0cd76891a35ba2447175a5ad82ca175af65f53cb4a4c89a4dbc874a74ba5ee63831f5a809aa238cf52fa19
-
Filesize
277KB
MD5fd21e1cefdaf259f4d89b70ea66ae855
SHA18beb8da13dbdabf4d6bcd038e3eeaea9af4bf4bb
SHA256d2d33e7d2403a25fec2bf71cf56db3a8b6121d4a77186016c316f9ebfe53ddfd
SHA512f85253161f5bdcde8ab5d233687d75518821c8d8870db485874e5ae05d3550e40600ca0c50a10ce645dc7a9606fd9cf2b2118e39dd3f1d5b6cc50170d7b5ae4d
-
Filesize
277KB
MD5fd21e1cefdaf259f4d89b70ea66ae855
SHA18beb8da13dbdabf4d6bcd038e3eeaea9af4bf4bb
SHA256d2d33e7d2403a25fec2bf71cf56db3a8b6121d4a77186016c316f9ebfe53ddfd
SHA512f85253161f5bdcde8ab5d233687d75518821c8d8870db485874e5ae05d3550e40600ca0c50a10ce645dc7a9606fd9cf2b2118e39dd3f1d5b6cc50170d7b5ae4d
-
Filesize
361KB
MD5b13ca593bf05fa840649dd63e1e462d3
SHA1684dfa25cb6a8d6959b9df425f29988a4dfb6d07
SHA25626cfc568808d84b58129b1dd49fbcf21bf0060b26e5debb8b1a56f5991a8f140
SHA512e4332c42dde57ca96b49f8ac9fc12ea15c3d5bf66a3c3c01d4f1287ac4d5dd4410ae7d795075e4c6bff3a2d9397815d70c6231d342c99de8510237aa054a9b5c
-
Filesize
361KB
MD5b13ca593bf05fa840649dd63e1e462d3
SHA1684dfa25cb6a8d6959b9df425f29988a4dfb6d07
SHA25626cfc568808d84b58129b1dd49fbcf21bf0060b26e5debb8b1a56f5991a8f140
SHA512e4332c42dde57ca96b49f8ac9fc12ea15c3d5bf66a3c3c01d4f1287ac4d5dd4410ae7d795075e4c6bff3a2d9397815d70c6231d342c99de8510237aa054a9b5c