Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 20:56
Static task
static1
General
-
Target
11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133.exe
-
Size
704KB
-
MD5
81c3cde35f5d0f01114eb6d57abb5e7b
-
SHA1
fe420c3dc64c43eb0e72dfe220764aad573a9d0a
-
SHA256
11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133
-
SHA512
6a62a0577968bf8e704222a54ed7c46caf7ea48563495cf297c60e993d63f90dbc571668b01429e795090e03c513f6d7c796c1cae51781f9401cfab85046a20d
-
SSDEEP
12288:jy90z4PspE2SEdC6PuQJb9GBfKRCxjxMWC0ixKUTh0LVb5zbU:jye4Ep7SEdBGk0JKEZxpqxKL4
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr972974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr972974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr972974.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr972974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr972974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr972974.exe -
Executes dropped EXE 4 IoCs
pid Process 1000 un725161.exe 1348 pr972974.exe 4996 qu281235.exe 2960 si016216.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr972974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr972974.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un725161.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un725161.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3644 1348 WerFault.exe 84 1936 4996 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1348 pr972974.exe 1348 pr972974.exe 4996 qu281235.exe 4996 qu281235.exe 2960 si016216.exe 2960 si016216.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1348 pr972974.exe Token: SeDebugPrivilege 4996 qu281235.exe Token: SeDebugPrivilege 2960 si016216.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4356 wrote to memory of 1000 4356 11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133.exe 83 PID 4356 wrote to memory of 1000 4356 11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133.exe 83 PID 4356 wrote to memory of 1000 4356 11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133.exe 83 PID 1000 wrote to memory of 1348 1000 un725161.exe 84 PID 1000 wrote to memory of 1348 1000 un725161.exe 84 PID 1000 wrote to memory of 1348 1000 un725161.exe 84 PID 1000 wrote to memory of 4996 1000 un725161.exe 87 PID 1000 wrote to memory of 4996 1000 un725161.exe 87 PID 1000 wrote to memory of 4996 1000 un725161.exe 87 PID 4356 wrote to memory of 2960 4356 11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133.exe 90 PID 4356 wrote to memory of 2960 4356 11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133.exe 90 PID 4356 wrote to memory of 2960 4356 11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133.exe"C:\Users\Admin\AppData\Local\Temp\11fff8f978485212be2e2e65d508ab3898cd39af4d0c828c3b0b48d5fc504133.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un725161.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un725161.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr972974.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr972974.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 10644⤵
- Program crash
PID:3644
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu281235.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu281235.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 13204⤵
- Program crash
PID:1936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si016216.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si016216.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1348 -ip 13481⤵PID:3152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4996 -ip 49961⤵PID:3208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
550KB
MD5f78ae3b7e89da5467544df69148d9cb2
SHA19ca480627eb8c718e8715a79977040a1e76d5d0f
SHA256fba4e9b1fbeee34ea9704fd650b8d5e5867100bb733d6a0596880833f04412e0
SHA512f80f0bc6a2b2ff59ca83c3b91d3d91f978deab136b2bfc3bb01bca4718487129a6dead51fc99c2dc774c2cddf814dab84c946245adeed7aed2adf0acec8dd151
-
Filesize
550KB
MD5f78ae3b7e89da5467544df69148d9cb2
SHA19ca480627eb8c718e8715a79977040a1e76d5d0f
SHA256fba4e9b1fbeee34ea9704fd650b8d5e5867100bb733d6a0596880833f04412e0
SHA512f80f0bc6a2b2ff59ca83c3b91d3d91f978deab136b2bfc3bb01bca4718487129a6dead51fc99c2dc774c2cddf814dab84c946245adeed7aed2adf0acec8dd151
-
Filesize
277KB
MD5187eefa03502d4a363c461e2e04bd569
SHA158b5d0fc66eab70287219ab0e4afafb914fb6870
SHA256adcebf4f3b06b05dc6b14619fba7b8a9f94ebb30e15df070fbf3be39fe0a6d42
SHA51243a5d7a591ab50b96726d12a0dc615e3952cc34a03ffa2d6857b96c2128971ef8efd37570c7d1fdae601a6d4a090f855618b2bed3075fba87ccfb8b8f64a165f
-
Filesize
277KB
MD5187eefa03502d4a363c461e2e04bd569
SHA158b5d0fc66eab70287219ab0e4afafb914fb6870
SHA256adcebf4f3b06b05dc6b14619fba7b8a9f94ebb30e15df070fbf3be39fe0a6d42
SHA51243a5d7a591ab50b96726d12a0dc615e3952cc34a03ffa2d6857b96c2128971ef8efd37570c7d1fdae601a6d4a090f855618b2bed3075fba87ccfb8b8f64a165f
-
Filesize
361KB
MD5c48869182e8ae88df373d92c43f13dca
SHA18937bba92ea612a40dabe0d54939990f8a47ad2c
SHA25628a2856c04e1f6e3101abb6f511b5a40c4d3ab4c42deb96c8f1a91a6a2a73d5d
SHA512502f5dccdb1adcc80016fb2f66a8fe053fed7acc75bfffe90bd585f469652124e75b9cd1fa7fb8314472e322ff43e6400f5a64efbcdabb761c3a8af4d54f59be
-
Filesize
361KB
MD5c48869182e8ae88df373d92c43f13dca
SHA18937bba92ea612a40dabe0d54939990f8a47ad2c
SHA25628a2856c04e1f6e3101abb6f511b5a40c4d3ab4c42deb96c8f1a91a6a2a73d5d
SHA512502f5dccdb1adcc80016fb2f66a8fe053fed7acc75bfffe90bd585f469652124e75b9cd1fa7fb8314472e322ff43e6400f5a64efbcdabb761c3a8af4d54f59be