Analysis
-
max time kernel
93s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 21:06
Static task
static1
General
-
Target
ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753.exe
-
Size
703KB
-
MD5
db7f826d619baf68175cf4407e698ff5
-
SHA1
1b38df7061b3053ad655457e40d891f5fe0306f2
-
SHA256
ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753
-
SHA512
0cb88bd95a65c3eb9b147133b9ee3d04606e09b4ac8fd2cec63219e80a4717e806917203e4f85a05cb3aedc84db3467f80fa99aebd0a882ca772eb7c51757ecb
-
SSDEEP
12288:Uy90v3m6ekBH1u27+LbAGLpthI1mzCjtIzqMp8/KHGs0Mt6KBe:UyCm67BH1u27+fLpeOitI+CzGQt6Ee
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr092824.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr092824.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr092824.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr092824.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr092824.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr092824.exe -
Executes dropped EXE 4 IoCs
pid Process 2068 un908782.exe 4460 pr092824.exe 3328 qu161254.exe 3780 si748007.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr092824.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr092824.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un908782.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un908782.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2556 4460 WerFault.exe 83 984 3328 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4460 pr092824.exe 4460 pr092824.exe 3328 qu161254.exe 3328 qu161254.exe 3780 si748007.exe 3780 si748007.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4460 pr092824.exe Token: SeDebugPrivilege 3328 qu161254.exe Token: SeDebugPrivilege 3780 si748007.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1636 wrote to memory of 2068 1636 ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753.exe 82 PID 1636 wrote to memory of 2068 1636 ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753.exe 82 PID 1636 wrote to memory of 2068 1636 ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753.exe 82 PID 2068 wrote to memory of 4460 2068 un908782.exe 83 PID 2068 wrote to memory of 4460 2068 un908782.exe 83 PID 2068 wrote to memory of 4460 2068 un908782.exe 83 PID 2068 wrote to memory of 3328 2068 un908782.exe 89 PID 2068 wrote to memory of 3328 2068 un908782.exe 89 PID 2068 wrote to memory of 3328 2068 un908782.exe 89 PID 1636 wrote to memory of 3780 1636 ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753.exe 92 PID 1636 wrote to memory of 3780 1636 ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753.exe 92 PID 1636 wrote to memory of 3780 1636 ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753.exe"C:\Users\Admin\AppData\Local\Temp\ddd057ef15fc81dfd43fe8ab2a59afd95209174e3e89b4f9aad493b124dfb753.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un908782.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un908782.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr092824.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr092824.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 10884⤵
- Program crash
PID:2556
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu161254.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu161254.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 13084⤵
- Program crash
PID:984
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si748007.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si748007.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4460 -ip 44601⤵PID:2816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3328 -ip 33281⤵PID:3212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
549KB
MD55445127eedcca8e016d7f5eb6c03abc8
SHA1b22f6b6a32d0b77d861ed73123ce554e3356f57a
SHA25634d7960615403dff34f4eebb79d33b7e5aa7ef5d3aa1c724dac954db3b4eccbc
SHA51231627fd9e40e599c75870014c56d900d61e5d824c1a2a0f7af820d2254d69a5d03d5ec05f109a629c97f789e6eb60027defd604d36c4a8bf3f30af32f56bc18d
-
Filesize
549KB
MD55445127eedcca8e016d7f5eb6c03abc8
SHA1b22f6b6a32d0b77d861ed73123ce554e3356f57a
SHA25634d7960615403dff34f4eebb79d33b7e5aa7ef5d3aa1c724dac954db3b4eccbc
SHA51231627fd9e40e599c75870014c56d900d61e5d824c1a2a0f7af820d2254d69a5d03d5ec05f109a629c97f789e6eb60027defd604d36c4a8bf3f30af32f56bc18d
-
Filesize
278KB
MD58a705625fa8d83ace3c25d7b1f2fc75d
SHA1b4d1f75e0ce8b6b0fc594a8c1627dda8ea3c2eb5
SHA2566ddd91792db58a7bec19cd3a3b8f4341020d8dd0d3a77211e3369f38663b80b9
SHA512d9c3647b176d1122a71c925862c85f05345e4f82ea690e8f8cfb92ff66b5c9f35d77eb037c468c533d9dc986d19ea590fe8f304fd2de5d97a9284ccafe693616
-
Filesize
278KB
MD58a705625fa8d83ace3c25d7b1f2fc75d
SHA1b4d1f75e0ce8b6b0fc594a8c1627dda8ea3c2eb5
SHA2566ddd91792db58a7bec19cd3a3b8f4341020d8dd0d3a77211e3369f38663b80b9
SHA512d9c3647b176d1122a71c925862c85f05345e4f82ea690e8f8cfb92ff66b5c9f35d77eb037c468c533d9dc986d19ea590fe8f304fd2de5d97a9284ccafe693616
-
Filesize
361KB
MD5eec144bb4479185fbb92713066e5b669
SHA165972d97ae6ce1a69b2f4b0e74b4e5410ae99fb1
SHA256b5006a569394bb0c294adf8c66834b1da04e41abab9828d3d55c1c7ec5b159eb
SHA512ef9071f2a09852ceb467fa4c1e166e2c2420ed43fee381c7e6fc704c5d5d08cc4226f0d09a683a4756ebb9657642c464a00b0a98606a8f78f8e9e10853694b40
-
Filesize
361KB
MD5eec144bb4479185fbb92713066e5b669
SHA165972d97ae6ce1a69b2f4b0e74b4e5410ae99fb1
SHA256b5006a569394bb0c294adf8c66834b1da04e41abab9828d3d55c1c7ec5b159eb
SHA512ef9071f2a09852ceb467fa4c1e166e2c2420ed43fee381c7e6fc704c5d5d08cc4226f0d09a683a4756ebb9657642c464a00b0a98606a8f78f8e9e10853694b40