Analysis
-
max time kernel
68s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 21:02
Static task
static1
General
-
Target
0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8.exe
-
Size
563KB
-
MD5
1eef8ad80bdcda98ba26a5ac24b2c57b
-
SHA1
55b2e376dc95045578b33202f1f64f424b0054d4
-
SHA256
0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8
-
SHA512
f06e09d11f0280a3be9c2a0e49a8a8de9ed39adefdf0904ee1eaeeeac9d471743d93d2cc4ad0becd72b11cc7c0ab9e9a29d9acf0aa609cf02b4dcffd87c61ff7
-
SSDEEP
12288:Ey90fF1cPl4okFWBPzHa51MkG0huH2xcCei8KRVPLhyd:Ey8cN4ouWBR5Mc2aI8Kgd
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it305488.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it305488.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it305488.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it305488.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it305488.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it305488.exe -
Executes dropped EXE 4 IoCs
pid Process 4276 ziyW3497.exe 5024 it305488.exe 2788 kp606057.exe 4292 lr907045.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it305488.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziyW3497.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziyW3497.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1180 2788 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5024 it305488.exe 5024 it305488.exe 2788 kp606057.exe 2788 kp606057.exe 4292 lr907045.exe 4292 lr907045.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5024 it305488.exe Token: SeDebugPrivilege 2788 kp606057.exe Token: SeDebugPrivilege 4292 lr907045.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3224 wrote to memory of 4276 3224 0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8.exe 83 PID 3224 wrote to memory of 4276 3224 0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8.exe 83 PID 3224 wrote to memory of 4276 3224 0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8.exe 83 PID 4276 wrote to memory of 5024 4276 ziyW3497.exe 84 PID 4276 wrote to memory of 5024 4276 ziyW3497.exe 84 PID 4276 wrote to memory of 2788 4276 ziyW3497.exe 89 PID 4276 wrote to memory of 2788 4276 ziyW3497.exe 89 PID 4276 wrote to memory of 2788 4276 ziyW3497.exe 89 PID 3224 wrote to memory of 4292 3224 0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8.exe 96 PID 3224 wrote to memory of 4292 3224 0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8.exe 96 PID 3224 wrote to memory of 4292 3224 0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8.exe"C:\Users\Admin\AppData\Local\Temp\0344daf35b71b23b640754f6537981879a55a40a267f825fb6178644d66df6e8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyW3497.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyW3497.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it305488.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it305488.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp606057.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp606057.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 20604⤵
- Program crash
PID:1180
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr907045.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr907045.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2788 -ip 27881⤵PID:3956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
409KB
MD5e3edb1b43dd90680ea02f4858d9b8244
SHA18f6f28f7a4d1896b97ceee04ccbc4eeb43c155e4
SHA2565945f92f7a4e67212ee0c07fa48fdd035905152915092efb46fb25e334f39887
SHA512e434d562cb7f3a86fd6db7694073f53f4f9e7750f1769abf5e196bc301045d3c93bac22d08545b38de8194c31c1e58cc728a010aff13a233622688b3704c0d73
-
Filesize
409KB
MD5e3edb1b43dd90680ea02f4858d9b8244
SHA18f6f28f7a4d1896b97ceee04ccbc4eeb43c155e4
SHA2565945f92f7a4e67212ee0c07fa48fdd035905152915092efb46fb25e334f39887
SHA512e434d562cb7f3a86fd6db7694073f53f4f9e7750f1769abf5e196bc301045d3c93bac22d08545b38de8194c31c1e58cc728a010aff13a233622688b3704c0d73
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD5ef7777e4b6f7ba32cc502c21ad057d08
SHA10fa97e4a04bbb9fcef11121ccb704552703a248f
SHA256c8537a13b03cb6bfe11f9da4ffe3cfecb626743a585a9d1ce17f28f1a47155e1
SHA5126bd9e4efa5e32fb94214b0cf21584ee186ccd41d13bc0633ef37f5cb0c3b2e06ab562e9bdd4ea241a067ca339d148f5a2233c8eccb62fd78ce5692af74c466c3
-
Filesize
361KB
MD5ef7777e4b6f7ba32cc502c21ad057d08
SHA10fa97e4a04bbb9fcef11121ccb704552703a248f
SHA256c8537a13b03cb6bfe11f9da4ffe3cfecb626743a585a9d1ce17f28f1a47155e1
SHA5126bd9e4efa5e32fb94214b0cf21584ee186ccd41d13bc0633ef37f5cb0c3b2e06ab562e9bdd4ea241a067ca339d148f5a2233c8eccb62fd78ce5692af74c466c3