Analysis
-
max time kernel
57s -
max time network
61s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 20:53
Static task
static1
General
-
Target
aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe
-
Size
563KB
-
MD5
4b5cb6c2d3d2e1139e1aee17770d686a
-
SHA1
743342113f232694dadc946014feba9ed36c3fda
-
SHA256
aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447
-
SHA512
aa4e7d4b40b4792c3399c24004901dd351ce7ef8412cc249d066195bcd74efd38eff01087bbebf520a5123a04f176d764f7657caa920075e223de0d8a76490ff
-
SSDEEP
12288:By907w+rw2ypLOrqYwVyWJhuH2p0Cei2KHbQK:ByB2omqYWhbc22I2Kl
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it732656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it732656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it732656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it732656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it732656.exe -
Executes dropped EXE 4 IoCs
pid Process 1716 ziIZ4272.exe 1436 it732656.exe 1752 kp954852.exe 2896 lr313511.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it732656.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziIZ4272.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziIZ4272.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1436 it732656.exe 1436 it732656.exe 1752 kp954852.exe 1752 kp954852.exe 2896 lr313511.exe 2896 lr313511.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1436 it732656.exe Token: SeDebugPrivilege 1752 kp954852.exe Token: SeDebugPrivilege 2896 lr313511.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4220 wrote to memory of 1716 4220 aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe 67 PID 4220 wrote to memory of 1716 4220 aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe 67 PID 4220 wrote to memory of 1716 4220 aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe 67 PID 1716 wrote to memory of 1436 1716 ziIZ4272.exe 68 PID 1716 wrote to memory of 1436 1716 ziIZ4272.exe 68 PID 1716 wrote to memory of 1752 1716 ziIZ4272.exe 69 PID 1716 wrote to memory of 1752 1716 ziIZ4272.exe 69 PID 1716 wrote to memory of 1752 1716 ziIZ4272.exe 69 PID 4220 wrote to memory of 2896 4220 aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe 71 PID 4220 wrote to memory of 2896 4220 aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe 71 PID 4220 wrote to memory of 2896 4220 aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe"C:\Users\Admin\AppData\Local\Temp\aa2087583b53d3c557551ce6900aa26694df057b573cda5e31e25a9198b38447.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIZ4272.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIZ4272.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it732656.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it732656.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp954852.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp954852.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr313511.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr313511.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
409KB
MD50665e679cc40d008947708e17ea87b34
SHA151856d848d2646ec81c1783a5536499eb3090552
SHA25608077387188b632c97f0fb0e6543c82a311d853eb3dd90b2176e3f7659ce90f5
SHA512d854813c262a027f4c021a737478f9a8ccb3c8caba20c87907379558c0c3a862435bc1bb4ba62fd28edc6b2075d461103e5dd9c15c404957b060e79ea11e6efe
-
Filesize
409KB
MD50665e679cc40d008947708e17ea87b34
SHA151856d848d2646ec81c1783a5536499eb3090552
SHA25608077387188b632c97f0fb0e6543c82a311d853eb3dd90b2176e3f7659ce90f5
SHA512d854813c262a027f4c021a737478f9a8ccb3c8caba20c87907379558c0c3a862435bc1bb4ba62fd28edc6b2075d461103e5dd9c15c404957b060e79ea11e6efe
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD502eed21bb778e8de100481f913dcbc5c
SHA169ab450e9bbe748d816468292a42be1e5acec980
SHA25687d2cdec680696e30a156789f0c5d0a5740f324e5d06b2c5be11fd61310d5def
SHA512725164fc8152d6407b24059f00e23ac860e7466f4f934c24fd53024cad105b04a030de1757733a3cb7a183ee3f4fe8ea9d8cb7e2c66c2c04d8552ecd81ab399f
-
Filesize
361KB
MD502eed21bb778e8de100481f913dcbc5c
SHA169ab450e9bbe748d816468292a42be1e5acec980
SHA25687d2cdec680696e30a156789f0c5d0a5740f324e5d06b2c5be11fd61310d5def
SHA512725164fc8152d6407b24059f00e23ac860e7466f4f934c24fd53024cad105b04a030de1757733a3cb7a183ee3f4fe8ea9d8cb7e2c66c2c04d8552ecd81ab399f