Analysis

  • max time kernel
    51s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23/04/2023, 20:59

General

  • Target

    0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe

  • Size

    703KB

  • MD5

    a70597a8dc473a216f327dfeede816e0

  • SHA1

    ffcc697e914d3459b972f263b2b7bb4446a2666d

  • SHA256

    0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e

  • SHA512

    0055d65e417b7e8da844fc26a9fb875be587f760c7cdac00e1c3b6177ae6ae643a1f7590f5331ecde024f1250ec59194a4d3ac7aca16a6c9f0f1fa33fcab591d

  • SSDEEP

    12288:ky90cxdGG+LP4qwu9b+DKVm1jUAWfIco7HHSQMWCZiJK8jlX:ky9GQq5bDVm1jUAWfI7ryQp3JKaX

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe
    "C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3236

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe

          Filesize

          136KB

          MD5

          8c80b06d843bd6a7599a5be2075d9a55

          SHA1

          caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

          SHA256

          e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

          SHA512

          cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe

          Filesize

          136KB

          MD5

          8c80b06d843bd6a7599a5be2075d9a55

          SHA1

          caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

          SHA256

          e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

          SHA512

          cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe

          Filesize

          549KB

          MD5

          a638f4ecc80d3c3b92c86ba0fe768602

          SHA1

          5f6b94c1ec3cbdf361860bc1c7f8e17b0ba9a1ed

          SHA256

          93878c738488d0bb9e7df79ad32e34c4e142f80ff7fb2e9883e978ce99406816

          SHA512

          09c7482fcde34f444d0539cea47edd1e4d479603d74852767a025af4daa89950a9cebbc98130d113feb052b1d5dc59bfabc49e9300269d81a42dd2f54a0db63e

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe

          Filesize

          549KB

          MD5

          a638f4ecc80d3c3b92c86ba0fe768602

          SHA1

          5f6b94c1ec3cbdf361860bc1c7f8e17b0ba9a1ed

          SHA256

          93878c738488d0bb9e7df79ad32e34c4e142f80ff7fb2e9883e978ce99406816

          SHA512

          09c7482fcde34f444d0539cea47edd1e4d479603d74852767a025af4daa89950a9cebbc98130d113feb052b1d5dc59bfabc49e9300269d81a42dd2f54a0db63e

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe

          Filesize

          277KB

          MD5

          19c5b4b2753589f40613999fb7bce238

          SHA1

          ffd552ee9887c7edaf897780060a9bdb0f03f78c

          SHA256

          9dcd824b9ecb72731a22d20d41ce2d17aebe60384d7efb3e52ab026debae02a5

          SHA512

          d9f2e52c7f869c54378332a36573757bcf0058f68c38735aa7241211baf50e01dad0e987454a529ebc99d40eee3c86b780117cb62c26d78db8eefcb8bc692723

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe

          Filesize

          277KB

          MD5

          19c5b4b2753589f40613999fb7bce238

          SHA1

          ffd552ee9887c7edaf897780060a9bdb0f03f78c

          SHA256

          9dcd824b9ecb72731a22d20d41ce2d17aebe60384d7efb3e52ab026debae02a5

          SHA512

          d9f2e52c7f869c54378332a36573757bcf0058f68c38735aa7241211baf50e01dad0e987454a529ebc99d40eee3c86b780117cb62c26d78db8eefcb8bc692723

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe

          Filesize

          361KB

          MD5

          751bcd0f77072da780e538b4e7a905e6

          SHA1

          d94332ff97d94a01b70de2edd53076bf2d2c22d6

          SHA256

          67525e6c216826ddf8bf65ba2833c8fea0481fe345733551ce59a389c190dcf4

          SHA512

          8e75caf82d1a6000882c63b7fcae57c1d9e883560d04eb9a60b6a39f019203006b5cda350bf7ef2de3a33a636afa9152a662858998b1799c27862c4257f324d9

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe

          Filesize

          361KB

          MD5

          751bcd0f77072da780e538b4e7a905e6

          SHA1

          d94332ff97d94a01b70de2edd53076bf2d2c22d6

          SHA256

          67525e6c216826ddf8bf65ba2833c8fea0481fe345733551ce59a389c190dcf4

          SHA512

          8e75caf82d1a6000882c63b7fcae57c1d9e883560d04eb9a60b6a39f019203006b5cda350bf7ef2de3a33a636afa9152a662858998b1799c27862c4257f324d9

        • memory/2072-145-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-155-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-133-0x0000000004E60000-0x0000000004E70000-memory.dmp

          Filesize

          64KB

        • memory/2072-134-0x00000000071C0000-0x00000000076BE000-memory.dmp

          Filesize

          5.0MB

        • memory/2072-135-0x0000000004D90000-0x0000000004DA8000-memory.dmp

          Filesize

          96KB

        • memory/2072-136-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-137-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-139-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-141-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-143-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-131-0x0000000002DC0000-0x0000000002DDA000-memory.dmp

          Filesize

          104KB

        • memory/2072-147-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-149-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-151-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-153-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-132-0x00000000001D0000-0x00000000001FD000-memory.dmp

          Filesize

          180KB

        • memory/2072-157-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-159-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-161-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-163-0x0000000004D90000-0x0000000004DA2000-memory.dmp

          Filesize

          72KB

        • memory/2072-164-0x0000000004E60000-0x0000000004E70000-memory.dmp

          Filesize

          64KB

        • memory/2072-165-0x0000000004E60000-0x0000000004E70000-memory.dmp

          Filesize

          64KB

        • memory/2072-166-0x0000000000400000-0x0000000002BAE000-memory.dmp

          Filesize

          39.7MB

        • memory/2072-167-0x0000000004E60000-0x0000000004E70000-memory.dmp

          Filesize

          64KB

        • memory/2072-170-0x0000000004E60000-0x0000000004E70000-memory.dmp

          Filesize

          64KB

        • memory/2072-169-0x0000000000400000-0x0000000002BAE000-memory.dmp

          Filesize

          39.7MB

        • memory/3236-992-0x0000000000900000-0x0000000000928000-memory.dmp

          Filesize

          160KB

        • memory/3236-994-0x00000000079C0000-0x00000000079D0000-memory.dmp

          Filesize

          64KB

        • memory/3236-993-0x0000000007680000-0x00000000076CB000-memory.dmp

          Filesize

          300KB

        • memory/3736-176-0x0000000004D40000-0x0000000004D7A000-memory.dmp

          Filesize

          232KB

        • memory/3736-177-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-180-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-182-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-184-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-186-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-188-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-190-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-192-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-194-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-196-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-198-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-200-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-202-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-204-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-208-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-206-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-210-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-350-0x0000000002F40000-0x0000000002F86000-memory.dmp

          Filesize

          280KB

        • memory/3736-354-0x00000000072F0000-0x0000000007300000-memory.dmp

          Filesize

          64KB

        • memory/3736-352-0x00000000072F0000-0x0000000007300000-memory.dmp

          Filesize

          64KB

        • memory/3736-355-0x00000000072F0000-0x0000000007300000-memory.dmp

          Filesize

          64KB

        • memory/3736-973-0x000000000A290000-0x000000000A896000-memory.dmp

          Filesize

          6.0MB

        • memory/3736-974-0x00000000072A0000-0x00000000072B2000-memory.dmp

          Filesize

          72KB

        • memory/3736-975-0x0000000009C80000-0x0000000009D8A000-memory.dmp

          Filesize

          1.0MB

        • memory/3736-976-0x0000000009D90000-0x0000000009DCE000-memory.dmp

          Filesize

          248KB

        • memory/3736-978-0x0000000009DD0000-0x0000000009E1B000-memory.dmp

          Filesize

          300KB

        • memory/3736-977-0x00000000072F0000-0x0000000007300000-memory.dmp

          Filesize

          64KB

        • memory/3736-979-0x000000000A060000-0x000000000A0C6000-memory.dmp

          Filesize

          408KB

        • memory/3736-980-0x000000000AD30000-0x000000000ADC2000-memory.dmp

          Filesize

          584KB

        • memory/3736-981-0x000000000ADD0000-0x000000000AE20000-memory.dmp

          Filesize

          320KB

        • memory/3736-982-0x000000000AE40000-0x000000000AEB6000-memory.dmp

          Filesize

          472KB

        • memory/3736-178-0x0000000004D40000-0x0000000004D75000-memory.dmp

          Filesize

          212KB

        • memory/3736-175-0x0000000004B80000-0x0000000004BBC000-memory.dmp

          Filesize

          240KB

        • memory/3736-983-0x000000000AFE0000-0x000000000AFFE000-memory.dmp

          Filesize

          120KB

        • memory/3736-984-0x000000000B0B0000-0x000000000B272000-memory.dmp

          Filesize

          1.8MB

        • memory/3736-985-0x000000000B280000-0x000000000B7AC000-memory.dmp

          Filesize

          5.2MB