Analysis
-
max time kernel
85s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 20:57
Static task
static1
General
-
Target
aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89.exe
-
Size
563KB
-
MD5
90538ccb612911ec820276e366511bc4
-
SHA1
43b88f8d5f00507a6bcfb2bd561c03859d0c26c9
-
SHA256
aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89
-
SHA512
eea6ceca0343537714a7786b6d27180b8b700655a9cae7fed3b946d6232d610e68a54773c8bd5f9c54e0cf85a5c5186434cd7744a2da529fba38cacb39cb9296
-
SSDEEP
12288:Uy90q/HcHildUJH6nHeKohfH22ECeipKlQbPP8z3r/:UyMCIVKQf2vIpKlCPq3z
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it367238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it367238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it367238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it367238.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it367238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it367238.exe -
Executes dropped EXE 4 IoCs
pid Process 3244 zion4879.exe 740 it367238.exe 792 kp574345.exe 4336 lr421493.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it367238.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zion4879.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zion4879.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1468 792 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 740 it367238.exe 740 it367238.exe 792 kp574345.exe 792 kp574345.exe 4336 lr421493.exe 4336 lr421493.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 740 it367238.exe Token: SeDebugPrivilege 792 kp574345.exe Token: SeDebugPrivilege 4336 lr421493.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4540 wrote to memory of 3244 4540 aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89.exe 82 PID 4540 wrote to memory of 3244 4540 aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89.exe 82 PID 4540 wrote to memory of 3244 4540 aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89.exe 82 PID 3244 wrote to memory of 740 3244 zion4879.exe 83 PID 3244 wrote to memory of 740 3244 zion4879.exe 83 PID 3244 wrote to memory of 792 3244 zion4879.exe 84 PID 3244 wrote to memory of 792 3244 zion4879.exe 84 PID 3244 wrote to memory of 792 3244 zion4879.exe 84 PID 4540 wrote to memory of 4336 4540 aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89.exe 87 PID 4540 wrote to memory of 4336 4540 aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89.exe 87 PID 4540 wrote to memory of 4336 4540 aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89.exe"C:\Users\Admin\AppData\Local\Temp\aec1ce42a40e5f2d5b6207b3c7053d2dbf18ccc57429e2d77ff21d2d439fff89.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zion4879.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zion4879.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it367238.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it367238.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp574345.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp574345.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 10564⤵
- Program crash
PID:1468
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr421493.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr421493.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 792 -ip 7921⤵PID:3792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
409KB
MD56d88fb3507c67d548eb22c37e7b9ea6b
SHA167fb15ba29e95c7bc88368927ef64e6f8f81c26a
SHA2565540363559ab17a99911c7d4a144af5db0c0a6be59222f8f3077cf67c4965647
SHA512f93053933349ddb9f353ce31058a89ab2cb56fcf112086e43a5a3e9cf940c96217bb38b2a0def32572d7a1d3d3971d544b4d6eaaf2d8f950e21a850329df050d
-
Filesize
409KB
MD56d88fb3507c67d548eb22c37e7b9ea6b
SHA167fb15ba29e95c7bc88368927ef64e6f8f81c26a
SHA2565540363559ab17a99911c7d4a144af5db0c0a6be59222f8f3077cf67c4965647
SHA512f93053933349ddb9f353ce31058a89ab2cb56fcf112086e43a5a3e9cf940c96217bb38b2a0def32572d7a1d3d3971d544b4d6eaaf2d8f950e21a850329df050d
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD51d5381a55551e29d04ab66452535daa5
SHA1115e20ae11564d3a7e3f0a6bf344552582ee5f54
SHA256d707ee62173fdb6b44491f07effb134974f945c66705d710cda8df759a58718f
SHA512389cc715f52dbb362e2ea2d799aa5543b15ca6e7826b2afb477268a071618369377861932409fc29febc0c61e5b453e6dde1be60ae7c7063816348407b5f05ea
-
Filesize
361KB
MD51d5381a55551e29d04ab66452535daa5
SHA1115e20ae11564d3a7e3f0a6bf344552582ee5f54
SHA256d707ee62173fdb6b44491f07effb134974f945c66705d710cda8df759a58718f
SHA512389cc715f52dbb362e2ea2d799aa5543b15ca6e7826b2afb477268a071618369377861932409fc29febc0c61e5b453e6dde1be60ae7c7063816348407b5f05ea