Analysis
-
max time kernel
51s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 20:59
Static task
static1
General
-
Target
0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe
-
Size
703KB
-
MD5
a70597a8dc473a216f327dfeede816e0
-
SHA1
ffcc697e914d3459b972f263b2b7bb4446a2666d
-
SHA256
0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e
-
SHA512
0055d65e417b7e8da844fc26a9fb875be587f760c7cdac00e1c3b6177ae6ae643a1f7590f5331ecde024f1250ec59194a4d3ac7aca16a6c9f0f1fa33fcab591d
-
SSDEEP
12288:ky90cxdGG+LP4qwu9b+DKVm1jUAWfIco7HHSQMWCZiJK8jlX:ky9GQq5bDVm1jUAWfI7ryQp3JKaX
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr006349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr006349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr006349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr006349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr006349.exe -
Executes dropped EXE 4 IoCs
pid Process 4108 un798185.exe 2072 pr006349.exe 3736 qu543825.exe 3236 si115054.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr006349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr006349.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un798185.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un798185.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2072 pr006349.exe 2072 pr006349.exe 3736 qu543825.exe 3736 qu543825.exe 3236 si115054.exe 3236 si115054.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2072 pr006349.exe Token: SeDebugPrivilege 3736 qu543825.exe Token: SeDebugPrivilege 3236 si115054.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1716 wrote to memory of 4108 1716 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe 66 PID 1716 wrote to memory of 4108 1716 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe 66 PID 1716 wrote to memory of 4108 1716 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe 66 PID 4108 wrote to memory of 2072 4108 un798185.exe 67 PID 4108 wrote to memory of 2072 4108 un798185.exe 67 PID 4108 wrote to memory of 2072 4108 un798185.exe 67 PID 4108 wrote to memory of 3736 4108 un798185.exe 68 PID 4108 wrote to memory of 3736 4108 un798185.exe 68 PID 4108 wrote to memory of 3736 4108 un798185.exe 68 PID 1716 wrote to memory of 3236 1716 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe 70 PID 1716 wrote to memory of 3236 1716 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe 70 PID 1716 wrote to memory of 3236 1716 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe"C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
549KB
MD5a638f4ecc80d3c3b92c86ba0fe768602
SHA15f6b94c1ec3cbdf361860bc1c7f8e17b0ba9a1ed
SHA25693878c738488d0bb9e7df79ad32e34c4e142f80ff7fb2e9883e978ce99406816
SHA51209c7482fcde34f444d0539cea47edd1e4d479603d74852767a025af4daa89950a9cebbc98130d113feb052b1d5dc59bfabc49e9300269d81a42dd2f54a0db63e
-
Filesize
549KB
MD5a638f4ecc80d3c3b92c86ba0fe768602
SHA15f6b94c1ec3cbdf361860bc1c7f8e17b0ba9a1ed
SHA25693878c738488d0bb9e7df79ad32e34c4e142f80ff7fb2e9883e978ce99406816
SHA51209c7482fcde34f444d0539cea47edd1e4d479603d74852767a025af4daa89950a9cebbc98130d113feb052b1d5dc59bfabc49e9300269d81a42dd2f54a0db63e
-
Filesize
277KB
MD519c5b4b2753589f40613999fb7bce238
SHA1ffd552ee9887c7edaf897780060a9bdb0f03f78c
SHA2569dcd824b9ecb72731a22d20d41ce2d17aebe60384d7efb3e52ab026debae02a5
SHA512d9f2e52c7f869c54378332a36573757bcf0058f68c38735aa7241211baf50e01dad0e987454a529ebc99d40eee3c86b780117cb62c26d78db8eefcb8bc692723
-
Filesize
277KB
MD519c5b4b2753589f40613999fb7bce238
SHA1ffd552ee9887c7edaf897780060a9bdb0f03f78c
SHA2569dcd824b9ecb72731a22d20d41ce2d17aebe60384d7efb3e52ab026debae02a5
SHA512d9f2e52c7f869c54378332a36573757bcf0058f68c38735aa7241211baf50e01dad0e987454a529ebc99d40eee3c86b780117cb62c26d78db8eefcb8bc692723
-
Filesize
361KB
MD5751bcd0f77072da780e538b4e7a905e6
SHA1d94332ff97d94a01b70de2edd53076bf2d2c22d6
SHA25667525e6c216826ddf8bf65ba2833c8fea0481fe345733551ce59a389c190dcf4
SHA5128e75caf82d1a6000882c63b7fcae57c1d9e883560d04eb9a60b6a39f019203006b5cda350bf7ef2de3a33a636afa9152a662858998b1799c27862c4257f324d9
-
Filesize
361KB
MD5751bcd0f77072da780e538b4e7a905e6
SHA1d94332ff97d94a01b70de2edd53076bf2d2c22d6
SHA25667525e6c216826ddf8bf65ba2833c8fea0481fe345733551ce59a389c190dcf4
SHA5128e75caf82d1a6000882c63b7fcae57c1d9e883560d04eb9a60b6a39f019203006b5cda350bf7ef2de3a33a636afa9152a662858998b1799c27862c4257f324d9