Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 21:04
Static task
static1
General
-
Target
b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b.exe
-
Size
704KB
-
MD5
a1fb54fc801151951bec3e3daaa99708
-
SHA1
3b8a4b46ae84fe565fbefd42a89546c89ee91e8d
-
SHA256
b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b
-
SHA512
71130db6f345661e73d036099e3cb030e1083174953e75fee5dc4c53e168736810ab3d9bbd77f812ac0ee8542654312da32be4fd0b1f520142af20a173585c5b
-
SSDEEP
12288:1y90n8pMKFYXg13jFlThU/Vim9rKERCDqr/pNI1AzCeaIzxMkA/KGDovT2E9BVBQ:1yVpM2Ygjji/VAqz/pUszaI9Le+T3ncP
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr802234.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr802234.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr802234.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr802234.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr802234.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr802234.exe -
Executes dropped EXE 4 IoCs
pid Process 4332 un894704.exe 100 pr802234.exe 4696 qu028242.exe 4292 si612855.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr802234.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr802234.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un894704.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un894704.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4384 100 WerFault.exe 88 2896 4696 WerFault.exe 98 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 100 pr802234.exe 100 pr802234.exe 4696 qu028242.exe 4696 qu028242.exe 4292 si612855.exe 4292 si612855.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 100 pr802234.exe Token: SeDebugPrivilege 4696 qu028242.exe Token: SeDebugPrivilege 4292 si612855.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3996 wrote to memory of 4332 3996 b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b.exe 87 PID 3996 wrote to memory of 4332 3996 b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b.exe 87 PID 3996 wrote to memory of 4332 3996 b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b.exe 87 PID 4332 wrote to memory of 100 4332 un894704.exe 88 PID 4332 wrote to memory of 100 4332 un894704.exe 88 PID 4332 wrote to memory of 100 4332 un894704.exe 88 PID 4332 wrote to memory of 4696 4332 un894704.exe 98 PID 4332 wrote to memory of 4696 4332 un894704.exe 98 PID 4332 wrote to memory of 4696 4332 un894704.exe 98 PID 3996 wrote to memory of 4292 3996 b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b.exe 102 PID 3996 wrote to memory of 4292 3996 b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b.exe 102 PID 3996 wrote to memory of 4292 3996 b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b.exe"C:\Users\Admin\AppData\Local\Temp\b6b0dbc702e182585c0374dab8e77a2bf64ca3ac78039be0922f41db3ff4768b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un894704.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un894704.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr802234.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr802234.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 10844⤵
- Program crash
PID:4384
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu028242.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu028242.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 11524⤵
- Program crash
PID:2896
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si612855.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si612855.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 100 -ip 1001⤵PID:688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4696 -ip 46961⤵PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
550KB
MD5a90f52d52ae7bfd51b7031b426d528a8
SHA144bb4b4b96cf83039b7bd85bfb092a0d97ad3afc
SHA256c507e89d51f51cb5b50b91898c4ebd4ff6ce800084054ea8be9e607ed15cfee8
SHA512ae5127134f7d7bcc4912722fc34c247d1fd76b85eb6ba3c65910bd735596ad77bf5bcc8870b01669b201d36f1322f1f30c0a256ce3bd051064e3739eca670e56
-
Filesize
550KB
MD5a90f52d52ae7bfd51b7031b426d528a8
SHA144bb4b4b96cf83039b7bd85bfb092a0d97ad3afc
SHA256c507e89d51f51cb5b50b91898c4ebd4ff6ce800084054ea8be9e607ed15cfee8
SHA512ae5127134f7d7bcc4912722fc34c247d1fd76b85eb6ba3c65910bd735596ad77bf5bcc8870b01669b201d36f1322f1f30c0a256ce3bd051064e3739eca670e56
-
Filesize
278KB
MD5a22b7af61aeb254462ca0995f30c9e3e
SHA110bd3583d885e8df9a05a90d87ffb4516d73d3f0
SHA25695492f20a63cffd9a323ffe0821e397a8e3e2745d43a9ce9b92f385628201a71
SHA5127e05d1636e3853635a0a47214d32772beddfab212b6cab475f70ccc35c3f2eecf9134e0f014798856f1e169a1cc09d3105d90963c5d303e36c9ff56d08cfa251
-
Filesize
278KB
MD5a22b7af61aeb254462ca0995f30c9e3e
SHA110bd3583d885e8df9a05a90d87ffb4516d73d3f0
SHA25695492f20a63cffd9a323ffe0821e397a8e3e2745d43a9ce9b92f385628201a71
SHA5127e05d1636e3853635a0a47214d32772beddfab212b6cab475f70ccc35c3f2eecf9134e0f014798856f1e169a1cc09d3105d90963c5d303e36c9ff56d08cfa251
-
Filesize
361KB
MD5f58b1135dfd5c1dfad5dec9fe5043918
SHA1ee6e36574330c63e6d3ec47a2e71cff765814e67
SHA25666b138ef3c352aa5fe3eb42af57584f9c192f82032c582625a0337be705765ff
SHA512571715868f850cb7fec0ec1c5ca1a9d05164a6b3f744b304da82bd0bcaa547ddc80b5496d849e291c4b3c30d9957541222d03a214a223eb19b777c2072f329f1
-
Filesize
361KB
MD5f58b1135dfd5c1dfad5dec9fe5043918
SHA1ee6e36574330c63e6d3ec47a2e71cff765814e67
SHA25666b138ef3c352aa5fe3eb42af57584f9c192f82032c582625a0337be705765ff
SHA512571715868f850cb7fec0ec1c5ca1a9d05164a6b3f744b304da82bd0bcaa547ddc80b5496d849e291c4b3c30d9957541222d03a214a223eb19b777c2072f329f1