Analysis
-
max time kernel
77s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 21:00
Static task
static1
General
-
Target
168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6.exe
-
Size
703KB
-
MD5
075ba26774047cf749628f31bb15bff4
-
SHA1
e9690b1444748c3896f6c4e544107e96ede4eb9a
-
SHA256
168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6
-
SHA512
20b20b08db5f665aa682f7aeb911a41ec4e09b6f53a99af5155b4dc4d54a9a56c1ffed82e27083c444d6498812e644b221a2857df0444fd9670ace8fb2e373a3
-
SSDEEP
12288:jy90wTNq0q8+ZIVr/RbHxHFhN5cHfyIHlx4NH7MWCVi0KQZ0JElTub:jyPo0q8pr5b9FhN5IyIFOt7pv0KQCiT0
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr893817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr893817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr893817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr893817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr893817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr893817.exe -
Executes dropped EXE 4 IoCs
pid Process 3208 un228000.exe 208 pr893817.exe 4620 qu580186.exe 4028 si893268.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr893817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr893817.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un228000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un228000.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1608 208 WerFault.exe 84 2952 4620 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 208 pr893817.exe 208 pr893817.exe 4620 qu580186.exe 4620 qu580186.exe 4028 si893268.exe 4028 si893268.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 208 pr893817.exe Token: SeDebugPrivilege 4620 qu580186.exe Token: SeDebugPrivilege 4028 si893268.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3728 wrote to memory of 3208 3728 168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6.exe 83 PID 3728 wrote to memory of 3208 3728 168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6.exe 83 PID 3728 wrote to memory of 3208 3728 168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6.exe 83 PID 3208 wrote to memory of 208 3208 un228000.exe 84 PID 3208 wrote to memory of 208 3208 un228000.exe 84 PID 3208 wrote to memory of 208 3208 un228000.exe 84 PID 3208 wrote to memory of 4620 3208 un228000.exe 93 PID 3208 wrote to memory of 4620 3208 un228000.exe 93 PID 3208 wrote to memory of 4620 3208 un228000.exe 93 PID 3728 wrote to memory of 4028 3728 168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6.exe 97 PID 3728 wrote to memory of 4028 3728 168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6.exe 97 PID 3728 wrote to memory of 4028 3728 168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6.exe"C:\Users\Admin\AppData\Local\Temp\168d30783a27dc5ee3ae0c7071f5d5a36d1a0c7159389a88653f7482ba5436e6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un228000.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un228000.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr893817.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr893817.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 10124⤵
- Program crash
PID:1608
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu580186.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu580186.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 13244⤵
- Program crash
PID:2952
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si893268.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si893268.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 208 -ip 2081⤵PID:3188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4620 -ip 46201⤵PID:3340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
549KB
MD572f107dc697130dac5bf06a7ecf6ffd8
SHA13827f08e18109d9aa31d72802d588a915b284d41
SHA256844628021aec2599e4840a21c8475c6b9a7dab18041a93876b07d481c84c1dc8
SHA5126fe581008c7672c84378eb7d7e23628dd33c53a1f160676d81a3b63a934da47bd09d48a81fb7745f21e3985810dfd6c66f274492fedc6ab93f5b08b379e7b058
-
Filesize
549KB
MD572f107dc697130dac5bf06a7ecf6ffd8
SHA13827f08e18109d9aa31d72802d588a915b284d41
SHA256844628021aec2599e4840a21c8475c6b9a7dab18041a93876b07d481c84c1dc8
SHA5126fe581008c7672c84378eb7d7e23628dd33c53a1f160676d81a3b63a934da47bd09d48a81fb7745f21e3985810dfd6c66f274492fedc6ab93f5b08b379e7b058
-
Filesize
277KB
MD54dda8d7c56de0c30bd2584242213e43e
SHA13ab2236c63eb071041768e1f73d78443f370478e
SHA256623ec2a218d701fa6ace500b7f00073ecffcb60a30b8c25aec7d0fc226615c00
SHA51264786afe4186a6cf113ecab17f443bc61ccef59cd7fa82a969c64bda7fed5a2ada7a6f5d5a75c391a54f6ae22dc47d8073f653867de13fcc95d195a8536e047b
-
Filesize
277KB
MD54dda8d7c56de0c30bd2584242213e43e
SHA13ab2236c63eb071041768e1f73d78443f370478e
SHA256623ec2a218d701fa6ace500b7f00073ecffcb60a30b8c25aec7d0fc226615c00
SHA51264786afe4186a6cf113ecab17f443bc61ccef59cd7fa82a969c64bda7fed5a2ada7a6f5d5a75c391a54f6ae22dc47d8073f653867de13fcc95d195a8536e047b
-
Filesize
361KB
MD597956c31608616153ceecce11a6caf44
SHA14c86d792e3480d81a16c012c7ef290cd8f3ee2fe
SHA25682689793fcaa3f0756ee37234f98fda961dc123823a058aedc994211ae000e0d
SHA5129ac3cbdb4885e2549732618ed6a2b82613142f53940024c0ebb79aebc0de90190a0e2cab6581be6d4fa4753d5941e5d0a0275bfab829d11a117722ca57a55364
-
Filesize
361KB
MD597956c31608616153ceecce11a6caf44
SHA14c86d792e3480d81a16c012c7ef290cd8f3ee2fe
SHA25682689793fcaa3f0756ee37234f98fda961dc123823a058aedc994211ae000e0d
SHA5129ac3cbdb4885e2549732618ed6a2b82613142f53940024c0ebb79aebc0de90190a0e2cab6581be6d4fa4753d5941e5d0a0275bfab829d11a117722ca57a55364