Analysis
-
max time kernel
109s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 21:02
Static task
static1
General
-
Target
586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44.exe
-
Size
703KB
-
MD5
fa5e5cef9ea4cd28231ff70469b0b851
-
SHA1
b78a8974f62dbb73c313acc744cbe7d40d00df4c
-
SHA256
586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44
-
SHA512
4ef048382ef7f36e200cd48e657f1e7b9721a5c57cd471e641cb9282846658d3ae779a18b254dd01e8cc9dc7a173d8d524d450b24678eff9e550642543086dfe
-
SSDEEP
12288:wy90wzQQ/Hsli9d/tCDEVN5R+OBqt4I1azCiMIzlMS+/KfqG0Il:wyKQEli9eYVN/+O0PS3MIZpYE
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr152996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr152996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr152996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr152996.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr152996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr152996.exe -
Executes dropped EXE 4 IoCs
pid Process 4220 un474860.exe 1052 pr152996.exe 4056 qu678384.exe 2012 si045489.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr152996.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr152996.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un474860.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un474860.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2124 1052 WerFault.exe 86 2520 4056 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1052 pr152996.exe 1052 pr152996.exe 4056 qu678384.exe 4056 qu678384.exe 2012 si045489.exe 2012 si045489.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1052 pr152996.exe Token: SeDebugPrivilege 4056 qu678384.exe Token: SeDebugPrivilege 2012 si045489.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 748 wrote to memory of 4220 748 586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44.exe 85 PID 748 wrote to memory of 4220 748 586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44.exe 85 PID 748 wrote to memory of 4220 748 586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44.exe 85 PID 4220 wrote to memory of 1052 4220 un474860.exe 86 PID 4220 wrote to memory of 1052 4220 un474860.exe 86 PID 4220 wrote to memory of 1052 4220 un474860.exe 86 PID 4220 wrote to memory of 4056 4220 un474860.exe 89 PID 4220 wrote to memory of 4056 4220 un474860.exe 89 PID 4220 wrote to memory of 4056 4220 un474860.exe 89 PID 748 wrote to memory of 2012 748 586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44.exe 93 PID 748 wrote to memory of 2012 748 586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44.exe 93 PID 748 wrote to memory of 2012 748 586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44.exe"C:\Users\Admin\AppData\Local\Temp\586b0571e45e8185aaaf863f39b1ee86572b79f47f1d307f7d1dbd5b7a2fbc44.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un474860.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un474860.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr152996.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr152996.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 10804⤵
- Program crash
PID:2124
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu678384.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu678384.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 19724⤵
- Program crash
PID:2520
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si045489.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si045489.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1052 -ip 10521⤵PID:4768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4056 -ip 40561⤵PID:2296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
549KB
MD50bbc8b89c7da5c926ababa2f6d209b01
SHA145bd38161314e27f41e4764d07e1601bed1b74fd
SHA2566438deab3370701730751e02056ad4eed0c14f483331fa9d0d26aa745a27ed38
SHA512a75a4361caea36b4e418226a1d797f51644601e328c61e2658b4600da79efb549ddaabb05ab347cdf882daf4b7063236b6a62b3b60941b790265c0953ef0e9c8
-
Filesize
549KB
MD50bbc8b89c7da5c926ababa2f6d209b01
SHA145bd38161314e27f41e4764d07e1601bed1b74fd
SHA2566438deab3370701730751e02056ad4eed0c14f483331fa9d0d26aa745a27ed38
SHA512a75a4361caea36b4e418226a1d797f51644601e328c61e2658b4600da79efb549ddaabb05ab347cdf882daf4b7063236b6a62b3b60941b790265c0953ef0e9c8
-
Filesize
278KB
MD5e11999c3b5b3ba0f22280d179c3ae059
SHA1b80d72cf18f2bb9b48658fd3875629a3e041b7ad
SHA25637870d569ff273f77358f19c7aa1dd82bf2ba2554856d62796b0633b689dbaf4
SHA512b5ac35fe0810fb07520e7cacd243f27e393cf8effbfb145119c3bdb20916c28dc85a4c51b2a7e22ee590e341edf7fffceada95330ea1648b634de60c9300a23b
-
Filesize
278KB
MD5e11999c3b5b3ba0f22280d179c3ae059
SHA1b80d72cf18f2bb9b48658fd3875629a3e041b7ad
SHA25637870d569ff273f77358f19c7aa1dd82bf2ba2554856d62796b0633b689dbaf4
SHA512b5ac35fe0810fb07520e7cacd243f27e393cf8effbfb145119c3bdb20916c28dc85a4c51b2a7e22ee590e341edf7fffceada95330ea1648b634de60c9300a23b
-
Filesize
361KB
MD5f9b47fcdf9606b4ff02f8b1d81e58d35
SHA19597db34072ddd3cf27853e9fd65895b20c4ccb3
SHA256fd35b6f11a36576841265e7da9053f1de160fd89f11cbe82a44451aa9df6d1a1
SHA512c235cf00c2d7237b28aa84830bb1906a311bbdc1fc2ce9f2b99f4910d2e70b9e5aaec66dbf479a30fd937370f77c55819aed1db6a8a7c6a1b351a699cedfc463
-
Filesize
361KB
MD5f9b47fcdf9606b4ff02f8b1d81e58d35
SHA19597db34072ddd3cf27853e9fd65895b20c4ccb3
SHA256fd35b6f11a36576841265e7da9053f1de160fd89f11cbe82a44451aa9df6d1a1
SHA512c235cf00c2d7237b28aa84830bb1906a311bbdc1fc2ce9f2b99f4910d2e70b9e5aaec66dbf479a30fd937370f77c55819aed1db6a8a7c6a1b351a699cedfc463