Analysis

  • max time kernel
    57s
  • max time network
    61s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23/04/2023, 20:53

General

  • Target

    aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe

  • Size

    563KB

  • MD5

    4b5cb6c2d3d2e1139e1aee17770d686a

  • SHA1

    743342113f232694dadc946014feba9ed36c3fda

  • SHA256

    aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447

  • SHA512

    aa4e7d4b40b4792c3399c24004901dd351ce7ef8412cc249d066195bcd74efd38eff01087bbebf520a5123a04f176d764f7657caa920075e223de0d8a76490ff

  • SSDEEP

    12288:By907w+rw2ypLOrqYwVyWJhuH2p0Cei2KHbQK:ByB2omqYWhbc22I2Kl

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe
    "C:\Users\Admin\AppData\Local\Temp\aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIZ4272.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIZ4272.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it732656.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it732656.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1436
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp954852.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp954852.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1752
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr313511.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr313511.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr313511.exe

          Filesize

          136KB

          MD5

          8c80b06d843bd6a7599a5be2075d9a55

          SHA1

          caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

          SHA256

          e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

          SHA512

          cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr313511.exe

          Filesize

          136KB

          MD5

          8c80b06d843bd6a7599a5be2075d9a55

          SHA1

          caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

          SHA256

          e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

          SHA512

          cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIZ4272.exe

          Filesize

          409KB

          MD5

          0665e679cc40d008947708e17ea87b34

          SHA1

          51856d848d2646ec81c1783a5536499eb3090552

          SHA256

          08077387188b632c97f0fb0e6543c82a311d853eb3dd90b2176e3f7659ce90f5

          SHA512

          d854813c262a027f4c021a737478f9a8ccb3c8caba20c87907379558c0c3a862435bc1bb4ba62fd28edc6b2075d461103e5dd9c15c404957b060e79ea11e6efe

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIZ4272.exe

          Filesize

          409KB

          MD5

          0665e679cc40d008947708e17ea87b34

          SHA1

          51856d848d2646ec81c1783a5536499eb3090552

          SHA256

          08077387188b632c97f0fb0e6543c82a311d853eb3dd90b2176e3f7659ce90f5

          SHA512

          d854813c262a027f4c021a737478f9a8ccb3c8caba20c87907379558c0c3a862435bc1bb4ba62fd28edc6b2075d461103e5dd9c15c404957b060e79ea11e6efe

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it732656.exe

          Filesize

          11KB

          MD5

          7e93bacbbc33e6652e147e7fe07572a0

          SHA1

          421a7167da01c8da4dc4d5234ca3dd84e319e762

          SHA256

          850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

          SHA512

          250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it732656.exe

          Filesize

          11KB

          MD5

          7e93bacbbc33e6652e147e7fe07572a0

          SHA1

          421a7167da01c8da4dc4d5234ca3dd84e319e762

          SHA256

          850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

          SHA512

          250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp954852.exe

          Filesize

          361KB

          MD5

          02eed21bb778e8de100481f913dcbc5c

          SHA1

          69ab450e9bbe748d816468292a42be1e5acec980

          SHA256

          87d2cdec680696e30a156789f0c5d0a5740f324e5d06b2c5be11fd61310d5def

          SHA512

          725164fc8152d6407b24059f00e23ac860e7466f4f934c24fd53024cad105b04a030de1757733a3cb7a183ee3f4fe8ea9d8cb7e2c66c2c04d8552ecd81ab399f

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp954852.exe

          Filesize

          361KB

          MD5

          02eed21bb778e8de100481f913dcbc5c

          SHA1

          69ab450e9bbe748d816468292a42be1e5acec980

          SHA256

          87d2cdec680696e30a156789f0c5d0a5740f324e5d06b2c5be11fd61310d5def

          SHA512

          725164fc8152d6407b24059f00e23ac860e7466f4f934c24fd53024cad105b04a030de1757733a3cb7a183ee3f4fe8ea9d8cb7e2c66c2c04d8552ecd81ab399f

        • memory/1436-130-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

          Filesize

          40KB

        • memory/1752-136-0x0000000002D20000-0x0000000002D66000-memory.dmp

          Filesize

          280KB

        • memory/1752-137-0x0000000004CA0000-0x0000000004CDC000-memory.dmp

          Filesize

          240KB

        • memory/1752-138-0x0000000007220000-0x000000000771E000-memory.dmp

          Filesize

          5.0MB

        • memory/1752-139-0x0000000004E50000-0x0000000004E8A000-memory.dmp

          Filesize

          232KB

        • memory/1752-140-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-141-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-143-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-145-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-147-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-149-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-151-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-153-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-155-0x0000000004E40000-0x0000000004E50000-memory.dmp

          Filesize

          64KB

        • memory/1752-159-0x0000000004E40000-0x0000000004E50000-memory.dmp

          Filesize

          64KB

        • memory/1752-157-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-156-0x0000000004E40000-0x0000000004E50000-memory.dmp

          Filesize

          64KB

        • memory/1752-160-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-162-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-164-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-166-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-168-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-170-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-172-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-174-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-176-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-178-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-180-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-182-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-184-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-186-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-188-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-190-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-192-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-194-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-196-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-198-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-200-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-202-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-204-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-206-0x0000000004E50000-0x0000000004E85000-memory.dmp

          Filesize

          212KB

        • memory/1752-935-0x000000000A1B0000-0x000000000A7B6000-memory.dmp

          Filesize

          6.0MB

        • memory/1752-936-0x0000000009C00000-0x0000000009C12000-memory.dmp

          Filesize

          72KB

        • memory/1752-937-0x0000000009C30000-0x0000000009D3A000-memory.dmp

          Filesize

          1.0MB

        • memory/1752-938-0x0000000009D50000-0x0000000009D8E000-memory.dmp

          Filesize

          248KB

        • memory/1752-939-0x0000000004E40000-0x0000000004E50000-memory.dmp

          Filesize

          64KB

        • memory/1752-940-0x0000000009ED0000-0x0000000009F1B000-memory.dmp

          Filesize

          300KB

        • memory/1752-941-0x000000000A060000-0x000000000A0C6000-memory.dmp

          Filesize

          408KB

        • memory/1752-942-0x000000000AD20000-0x000000000ADB2000-memory.dmp

          Filesize

          584KB

        • memory/1752-943-0x000000000AED0000-0x000000000AF20000-memory.dmp

          Filesize

          320KB

        • memory/1752-944-0x000000000AF40000-0x000000000AFB6000-memory.dmp

          Filesize

          472KB

        • memory/1752-945-0x000000000B020000-0x000000000B1E2000-memory.dmp

          Filesize

          1.8MB

        • memory/1752-946-0x000000000B1F0000-0x000000000B71C000-memory.dmp

          Filesize

          5.2MB

        • memory/1752-947-0x000000000B830000-0x000000000B84E000-memory.dmp

          Filesize

          120KB

        • memory/2896-955-0x0000000000100000-0x0000000000128000-memory.dmp

          Filesize

          160KB

        • memory/2896-956-0x0000000006E80000-0x0000000006ECB000-memory.dmp

          Filesize

          300KB

        • memory/2896-957-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

          Filesize

          64KB