Analysis
-
max time kernel
52s -
max time network
74s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 20:56
Static task
static1
General
-
Target
8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe
-
Size
704KB
-
MD5
5e8e2720dd5ee31dc37d4ce989db6a6d
-
SHA1
9fe9adf39cf2b8430b66bb4a39931f84dcaeada6
-
SHA256
8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0
-
SHA512
eccac50d6ccb7a1c6c1a5f73a3d955dc4f325379cb21deac922267614f32ec2292d016663bbb3b22bce6d3378aa8713537ca0e83933e75662b1bb88e89e215dc
-
SSDEEP
12288:Py90UYLCTCp4UWokEdJ0nrue2t1vB9RCTkZMI4HKhWS2PwcA+umB+HnMWCbiPK61:PyHsCwWokEdJq+j9aqjdhWS+y+uqMnpN
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr339134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr339134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr339134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr339134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr339134.exe -
Executes dropped EXE 4 IoCs
pid Process 4596 un255891.exe 4956 pr339134.exe 4788 qu024729.exe 1736 si217965.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr339134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr339134.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un255891.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un255891.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4956 pr339134.exe 4956 pr339134.exe 4788 qu024729.exe 4788 qu024729.exe 1736 si217965.exe 1736 si217965.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4956 pr339134.exe Token: SeDebugPrivilege 4788 qu024729.exe Token: SeDebugPrivilege 1736 si217965.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2208 wrote to memory of 4596 2208 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe 66 PID 2208 wrote to memory of 4596 2208 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe 66 PID 2208 wrote to memory of 4596 2208 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe 66 PID 4596 wrote to memory of 4956 4596 un255891.exe 67 PID 4596 wrote to memory of 4956 4596 un255891.exe 67 PID 4596 wrote to memory of 4956 4596 un255891.exe 67 PID 4596 wrote to memory of 4788 4596 un255891.exe 68 PID 4596 wrote to memory of 4788 4596 un255891.exe 68 PID 4596 wrote to memory of 4788 4596 un255891.exe 68 PID 2208 wrote to memory of 1736 2208 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe 70 PID 2208 wrote to memory of 1736 2208 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe 70 PID 2208 wrote to memory of 1736 2208 8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe"C:\Users\Admin\AppData\Local\Temp\8ac9cafebb47d3586b65ac83680fa222c348a7dde8dfcb239fc74c673d60adf0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un255891.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un255891.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr339134.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr339134.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu024729.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu024729.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si217965.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si217965.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
549KB
MD5599ca3c1dc4a455942acf4e3cee1e314
SHA103d693b8ea44d40426e6b0a034e48abf9c021048
SHA256f9cac0abfc6a68192ac820347805d8077792a760e5f9b8171a318ba3f0dbf53a
SHA512306de73db60dfab23340d905d9e2e1727b400b630c43b45fa62d332cf48116e282bc808c4b01ed1c005e2b5d703be079ad1624809a5af8ea60813600e4df7469
-
Filesize
549KB
MD5599ca3c1dc4a455942acf4e3cee1e314
SHA103d693b8ea44d40426e6b0a034e48abf9c021048
SHA256f9cac0abfc6a68192ac820347805d8077792a760e5f9b8171a318ba3f0dbf53a
SHA512306de73db60dfab23340d905d9e2e1727b400b630c43b45fa62d332cf48116e282bc808c4b01ed1c005e2b5d703be079ad1624809a5af8ea60813600e4df7469
-
Filesize
277KB
MD5a448b48a2025ea27e1a58a39079969c3
SHA1901a17c34b1b1c94930f102bac04184aa874f2be
SHA256825c87568fb355d1d5c0514edb47b98b030d3fdf471f70df3218ba41bf9e6eca
SHA512e1578286b000a939e0ce621bf536d25cbcf4283aae0c7b0dab1b51921490294a4ed266aab69ea48000ed39bd6edfc806e94c251dd9e0f947f09ce3cd16f070f3
-
Filesize
277KB
MD5a448b48a2025ea27e1a58a39079969c3
SHA1901a17c34b1b1c94930f102bac04184aa874f2be
SHA256825c87568fb355d1d5c0514edb47b98b030d3fdf471f70df3218ba41bf9e6eca
SHA512e1578286b000a939e0ce621bf536d25cbcf4283aae0c7b0dab1b51921490294a4ed266aab69ea48000ed39bd6edfc806e94c251dd9e0f947f09ce3cd16f070f3
-
Filesize
361KB
MD54cc9b6788cb850c63da60a33d9ce5929
SHA1d45654569113e8c712f3053371c2591718a96076
SHA256c13921be9da15ed810405abcffddd018724d2e2ba8740e19fef8aba9941a3f60
SHA5123f20ba742ec83b29cd8cfaa6d53910b2c32a6487392c7715d87ca24590c256339a18994d2fa9666581afa4240acc46ae4dd95f2b93764e6ff1a90cfe46d42b90
-
Filesize
361KB
MD54cc9b6788cb850c63da60a33d9ce5929
SHA1d45654569113e8c712f3053371c2591718a96076
SHA256c13921be9da15ed810405abcffddd018724d2e2ba8740e19fef8aba9941a3f60
SHA5123f20ba742ec83b29cd8cfaa6d53910b2c32a6487392c7715d87ca24590c256339a18994d2fa9666581afa4240acc46ae4dd95f2b93764e6ff1a90cfe46d42b90