Analysis
-
max time kernel
83s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 20:58
Static task
static1
General
-
Target
476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe
-
Size
563KB
-
MD5
6e1779d258bf2eabf6ad0bd5dc0091ff
-
SHA1
1219d0e0898d46bbb782024a0bb49df293959cf0
-
SHA256
476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4
-
SHA512
a31117939d2e3093f94584e9944c2f7a929dc11385f5f365b17550f5e1f0cda705b8b93f867044b6b6549f4ef413f295c2ddb8514cc593e1b89626558b77633f
-
SSDEEP
12288:yy90uCDNzzmDobHTW/chTQ+TdMku2hmH2WRCeiTK0YUcPE0:yyBuNuDsi/c9NaZ+02+ITKhUcPH
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it597204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it597204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it597204.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it597204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it597204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it597204.exe -
Executes dropped EXE 4 IoCs
pid Process 676 ziNO2748.exe 2684 it597204.exe 5096 kp802124.exe 3104 lr766074.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it597204.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziNO2748.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziNO2748.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 636 5096 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2684 it597204.exe 2684 it597204.exe 5096 kp802124.exe 5096 kp802124.exe 3104 lr766074.exe 3104 lr766074.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2684 it597204.exe Token: SeDebugPrivilege 5096 kp802124.exe Token: SeDebugPrivilege 3104 lr766074.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 932 wrote to memory of 676 932 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe 83 PID 932 wrote to memory of 676 932 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe 83 PID 932 wrote to memory of 676 932 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe 83 PID 676 wrote to memory of 2684 676 ziNO2748.exe 84 PID 676 wrote to memory of 2684 676 ziNO2748.exe 84 PID 676 wrote to memory of 5096 676 ziNO2748.exe 89 PID 676 wrote to memory of 5096 676 ziNO2748.exe 89 PID 676 wrote to memory of 5096 676 ziNO2748.exe 89 PID 932 wrote to memory of 3104 932 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe 97 PID 932 wrote to memory of 3104 932 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe 97 PID 932 wrote to memory of 3104 932 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe"C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 13204⤵
- Program crash
PID:636
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5096 -ip 50961⤵PID:4184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
409KB
MD587ce86e77ccfa5a23782f779f2a1b8d9
SHA196aa608ce0bd3e9482f12f22ab98742d34fb1d89
SHA256027ddbf37851f2b1a19aa26d56bc303e07e36ceb99eeaf2f2acb46ce0130b81f
SHA512ef86daa457d865ef4c0491f64367fbc2b84392b7ac04778efc90d7eea5e932167bf20c3e6e84d17669106edb9fca80d0177193f7d6b68b479b703b2221f13b2c
-
Filesize
409KB
MD587ce86e77ccfa5a23782f779f2a1b8d9
SHA196aa608ce0bd3e9482f12f22ab98742d34fb1d89
SHA256027ddbf37851f2b1a19aa26d56bc303e07e36ceb99eeaf2f2acb46ce0130b81f
SHA512ef86daa457d865ef4c0491f64367fbc2b84392b7ac04778efc90d7eea5e932167bf20c3e6e84d17669106edb9fca80d0177193f7d6b68b479b703b2221f13b2c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD5da856a20ca764dfefaeec22336150477
SHA1ab72e8813c77a7214ab53c70a7327082aca69f3d
SHA2568cb7a0df0d1e247209c974313f59aeb97f2f744bf092b94755dcb7922b203840
SHA51254f7bc2cbcf753eea22e7f047bbb443d95556c17bbe527b4cf25ec1e7f906a10965c7f16c49071e3c61d0b043799870f921f225507b6c9d93422fff336ef4c98
-
Filesize
361KB
MD5da856a20ca764dfefaeec22336150477
SHA1ab72e8813c77a7214ab53c70a7327082aca69f3d
SHA2568cb7a0df0d1e247209c974313f59aeb97f2f744bf092b94755dcb7922b203840
SHA51254f7bc2cbcf753eea22e7f047bbb443d95556c17bbe527b4cf25ec1e7f906a10965c7f16c49071e3c61d0b043799870f921f225507b6c9d93422fff336ef4c98