Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 21:03
Static task
static1
General
-
Target
1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc.exe
-
Size
704KB
-
MD5
df70728480bb4580dd86a4dbec614dc8
-
SHA1
d60cfc801f7b249f6e82cbfe086c012fdc0da402
-
SHA256
1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc
-
SHA512
83ab33562165f924b7aa3768a3c835d9e69e4691ca4569f10fba2ba5127825c6f481e1519c840f7222f07818a943ea513c6c2a747336fcbb2e903bf6c84bc0ec
-
SSDEEP
12288:Gy90kTwluhO0lICVYbX6T9RfG4DmB6RAYHATH5I18zCNYIzVMh+/KRpIvaoZ:GykuxGgQ6BR+4O6qV8ooYIhe5IaE
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr569450.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr569450.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr569450.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr569450.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr569450.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr569450.exe -
Executes dropped EXE 4 IoCs
pid Process 2324 un628847.exe 4728 pr569450.exe 264 qu725107.exe 1552 si339546.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr569450.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr569450.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un628847.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un628847.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2600 4728 WerFault.exe 84 804 264 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4728 pr569450.exe 4728 pr569450.exe 264 qu725107.exe 264 qu725107.exe 1552 si339546.exe 1552 si339546.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4728 pr569450.exe Token: SeDebugPrivilege 264 qu725107.exe Token: SeDebugPrivilege 1552 si339546.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2324 2148 1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc.exe 83 PID 2148 wrote to memory of 2324 2148 1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc.exe 83 PID 2148 wrote to memory of 2324 2148 1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc.exe 83 PID 2324 wrote to memory of 4728 2324 un628847.exe 84 PID 2324 wrote to memory of 4728 2324 un628847.exe 84 PID 2324 wrote to memory of 4728 2324 un628847.exe 84 PID 2324 wrote to memory of 264 2324 un628847.exe 87 PID 2324 wrote to memory of 264 2324 un628847.exe 87 PID 2324 wrote to memory of 264 2324 un628847.exe 87 PID 2148 wrote to memory of 1552 2148 1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc.exe 90 PID 2148 wrote to memory of 1552 2148 1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc.exe 90 PID 2148 wrote to memory of 1552 2148 1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc.exe"C:\Users\Admin\AppData\Local\Temp\1ad57180b67da233dee9b9c070ae9b3ce08a134fad6847fa71f2c7b7e4872dcc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628847.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628847.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr569450.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr569450.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 10764⤵
- Program crash
PID:2600
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu725107.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu725107.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 15204⤵
- Program crash
PID:804
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si339546.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si339546.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4728 -ip 47281⤵PID:60
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 264 -ip 2641⤵PID:1772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
550KB
MD5c9ccdc6ce8f742c577fa4f0338f23763
SHA150b23adb14e7d68b98bf3184ec979e8139989e81
SHA2565b2603929a9bab80c7ff0d35c8d4e5f215e5d0fe8122ab7dc564da9482946bdf
SHA512b43502d96a7440d6e6514858f0176cf1724ec12293861593424df5b2ea37de1ede527a5618bfcd59ec3705f0112306726e251bec6430cb5f8f5540ea901a755d
-
Filesize
550KB
MD5c9ccdc6ce8f742c577fa4f0338f23763
SHA150b23adb14e7d68b98bf3184ec979e8139989e81
SHA2565b2603929a9bab80c7ff0d35c8d4e5f215e5d0fe8122ab7dc564da9482946bdf
SHA512b43502d96a7440d6e6514858f0176cf1724ec12293861593424df5b2ea37de1ede527a5618bfcd59ec3705f0112306726e251bec6430cb5f8f5540ea901a755d
-
Filesize
278KB
MD55356d837a19ddab5330d3bfb8b9ced59
SHA1cc44e9930535e296adffa5be1f17bf6acd325ef8
SHA256fecc6816ca47e9d190a7bd28df6542329d5bb6619cef6d10a61234ea4e6c5cf7
SHA512d7c60f08698c45dc0a35f273c3dba476274db6088936983a8943426f989a8b30bea52d93c644f4c82a68868d6f5fe6c6f3bc15a114d872ef7d4ea22b080f437d
-
Filesize
278KB
MD55356d837a19ddab5330d3bfb8b9ced59
SHA1cc44e9930535e296adffa5be1f17bf6acd325ef8
SHA256fecc6816ca47e9d190a7bd28df6542329d5bb6619cef6d10a61234ea4e6c5cf7
SHA512d7c60f08698c45dc0a35f273c3dba476274db6088936983a8943426f989a8b30bea52d93c644f4c82a68868d6f5fe6c6f3bc15a114d872ef7d4ea22b080f437d
-
Filesize
361KB
MD5771912a0d7a1f525d86b43db72b093d4
SHA12f1ab51525a8ba73ff8cecd1026ec8df7d341fde
SHA256abef919ece558f8cce75fcd8e8378bdf40d04ddcb201d8b895a9e94f577e6953
SHA512a78f44e405eb73e358e85ee992a5034e99179c38fa20442901723cd86d2d9a8e836f2cf2d1c6f4ca4c7f3b956d5c29903b227a9bc6e46bd9ca6fa0112561ae2a
-
Filesize
361KB
MD5771912a0d7a1f525d86b43db72b093d4
SHA12f1ab51525a8ba73ff8cecd1026ec8df7d341fde
SHA256abef919ece558f8cce75fcd8e8378bdf40d04ddcb201d8b895a9e94f577e6953
SHA512a78f44e405eb73e358e85ee992a5034e99179c38fa20442901723cd86d2d9a8e836f2cf2d1c6f4ca4c7f3b956d5c29903b227a9bc6e46bd9ca6fa0112561ae2a