Analysis
-
max time kernel
86s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 20:54
Static task
static1
General
-
Target
3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864.exe
-
Size
563KB
-
MD5
38cc04da35f44f4d91f6b6eee2088f3a
-
SHA1
a591838e72db2fecb183175661a3cfdaf08a37c3
-
SHA256
3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864
-
SHA512
161578f843fe029b6d71c2f309bc38d45fb07a1e90bd18ff93ff7e2debdd49dc726661fc8a3a7fa223bb71f42df80beabbad2bc1199a3acddc2ac53686182f31
-
SSDEEP
12288:cy90Ha2wqAWa6vZeUbckyhmH2WyCei3KOYmC0d7:cyg8lFka02zI3Kn07
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it023482.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it023482.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it023482.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it023482.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it023482.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it023482.exe -
Executes dropped EXE 4 IoCs
pid Process 3888 ziRk7375.exe 2292 it023482.exe 228 kp476287.exe 2824 lr402356.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it023482.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziRk7375.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziRk7375.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3336 228 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2292 it023482.exe 2292 it023482.exe 228 kp476287.exe 228 kp476287.exe 2824 lr402356.exe 2824 lr402356.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2292 it023482.exe Token: SeDebugPrivilege 228 kp476287.exe Token: SeDebugPrivilege 2824 lr402356.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 5000 wrote to memory of 3888 5000 3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864.exe 83 PID 5000 wrote to memory of 3888 5000 3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864.exe 83 PID 5000 wrote to memory of 3888 5000 3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864.exe 83 PID 3888 wrote to memory of 2292 3888 ziRk7375.exe 84 PID 3888 wrote to memory of 2292 3888 ziRk7375.exe 84 PID 3888 wrote to memory of 228 3888 ziRk7375.exe 91 PID 3888 wrote to memory of 228 3888 ziRk7375.exe 91 PID 3888 wrote to memory of 228 3888 ziRk7375.exe 91 PID 5000 wrote to memory of 2824 5000 3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864.exe 95 PID 5000 wrote to memory of 2824 5000 3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864.exe 95 PID 5000 wrote to memory of 2824 5000 3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864.exe"C:\Users\Admin\AppData\Local\Temp\3e172aeef6f5ab3e46daeadb2229d9f993b35aacdeaa134244f28349f90ad864.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRk7375.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRk7375.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it023482.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it023482.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp476287.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp476287.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 18604⤵
- Program crash
PID:3336
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr402356.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr402356.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 228 -ip 2281⤵PID:1432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
409KB
MD574eb645072ef365b588ce5136608aadb
SHA1e67a5a6805bb825359b98d5d1769167a5547464b
SHA2567daeec03c4ef4a54874dafb612bcbe49b7b71e12012bf022769baed03c93eba6
SHA5120b45b36bf1cb85c435e8ab6160af2c0c1bc4f528aea0c66b1a36044de5f6a4ea7bb34b1d510c08993ab28a6daf308790d8993d3ab30e10e4bd14995fa9e1043f
-
Filesize
409KB
MD574eb645072ef365b588ce5136608aadb
SHA1e67a5a6805bb825359b98d5d1769167a5547464b
SHA2567daeec03c4ef4a54874dafb612bcbe49b7b71e12012bf022769baed03c93eba6
SHA5120b45b36bf1cb85c435e8ab6160af2c0c1bc4f528aea0c66b1a36044de5f6a4ea7bb34b1d510c08993ab28a6daf308790d8993d3ab30e10e4bd14995fa9e1043f
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD5461d798eb86412965eaba7376a5c044b
SHA18783026b430c2aeba51b6d9df803e1946a2dc991
SHA25621db6016f411d0cc1b8c2f888feb5bef0b137ef2c0835ca28fe11fbe742b6d19
SHA5123acf01cc465506a12344f831f14c564d5fad7e52324d59a0fac5958b749469ee1cadaa49ecbd34af3d787301212d81e05bbd74a9ee4a9cdf65e37907faadca3c
-
Filesize
361KB
MD5461d798eb86412965eaba7376a5c044b
SHA18783026b430c2aeba51b6d9df803e1946a2dc991
SHA25621db6016f411d0cc1b8c2f888feb5bef0b137ef2c0835ca28fe11fbe742b6d19
SHA5123acf01cc465506a12344f831f14c564d5fad7e52324d59a0fac5958b749469ee1cadaa49ecbd34af3d787301212d81e05bbd74a9ee4a9cdf65e37907faadca3c