Analysis
-
max time kernel
73s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2023 22:00
Static task
static1
General
-
Target
aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948.exe
-
Size
747KB
-
MD5
836d02449110354216fc052d76b9f891
-
SHA1
33dd799a816baeb0d09d2dc05c933a5e21c5af89
-
SHA256
aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948
-
SHA512
3f58f55e177b48aed24cad90ebc0af49ffce6c2162259244b70bf7a35bb08bc566bdf3bc9d812bd660d92daba5ec44c992c29e3f40c11d525240413ba6990638
-
SSDEEP
12288:Zy90/36DKrGVkH4I2yRfwxyrqNHCKZ8d5FOB7V8fcvlabo4wh2dgpfW:ZyA6GrGVkHL28rqRCzKWfcvAboZ4uO
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 05321698.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 05321698.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 05321698.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 05321698.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 05321698.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 05321698.exe -
Executes dropped EXE 4 IoCs
pid Process 1516 un743718.exe 2296 05321698.exe 3308 rk222900.exe 4632 si034186.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 05321698.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 05321698.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un743718.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un743718.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2296 05321698.exe 2296 05321698.exe 3308 rk222900.exe 3308 rk222900.exe 4632 si034186.exe 4632 si034186.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2296 05321698.exe Token: SeDebugPrivilege 3308 rk222900.exe Token: SeDebugPrivilege 4632 si034186.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2628 wrote to memory of 1516 2628 aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948.exe 83 PID 2628 wrote to memory of 1516 2628 aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948.exe 83 PID 2628 wrote to memory of 1516 2628 aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948.exe 83 PID 1516 wrote to memory of 2296 1516 un743718.exe 84 PID 1516 wrote to memory of 2296 1516 un743718.exe 84 PID 1516 wrote to memory of 2296 1516 un743718.exe 84 PID 1516 wrote to memory of 3308 1516 un743718.exe 89 PID 1516 wrote to memory of 3308 1516 un743718.exe 89 PID 1516 wrote to memory of 3308 1516 un743718.exe 89 PID 2628 wrote to memory of 4632 2628 aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948.exe 90 PID 2628 wrote to memory of 4632 2628 aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948.exe 90 PID 2628 wrote to memory of 4632 2628 aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948.exe"C:\Users\Admin\AppData\Local\Temp\aceab1f3a3b2e6e9f4ebef15b772d6c5ae4a59a41ec72d004a890da9bc4fe948.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un743718.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un743718.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\05321698.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\05321698.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk222900.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk222900.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si034186.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si034186.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5b9f17cc95395f13838ba119abc3f742f
SHA1ecdbc7ef78234c1c7009fdbc6f744c511067767d
SHA2562e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15
SHA512bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca
-
Filesize
136KB
MD5b9f17cc95395f13838ba119abc3f742f
SHA1ecdbc7ef78234c1c7009fdbc6f744c511067767d
SHA2562e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15
SHA512bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca
-
Filesize
593KB
MD56b9aeab88eab3e13f790adf18d567a08
SHA187eadde9b26606bebc53a95c728749fc0d3ed1ab
SHA256cd44d7764c48829f888a14c5f51325bd720f470a3497cea1e4a3791a8404feb8
SHA512a86e20787e1d38fdb2946e20e9de3b2e3d28a21c4de0969316c9657698622b3c57dee87677826833deb61a0b4fbbfeec6652036277d2492e567dc315dea71b35
-
Filesize
593KB
MD56b9aeab88eab3e13f790adf18d567a08
SHA187eadde9b26606bebc53a95c728749fc0d3ed1ab
SHA256cd44d7764c48829f888a14c5f51325bd720f470a3497cea1e4a3791a8404feb8
SHA512a86e20787e1d38fdb2946e20e9de3b2e3d28a21c4de0969316c9657698622b3c57dee87677826833deb61a0b4fbbfeec6652036277d2492e567dc315dea71b35
-
Filesize
377KB
MD5ebb81fe7b4c482504ef8440c37d8499f
SHA120495f1c799d129844cd1abc10304ca2dc6b7134
SHA256ea9207d574e744f3cbcad043f491b38d21d8c1ae7424c6a63baa7a2bcd4f7c8c
SHA512267c025f2dbf57c33337ed7a84c4ed032db882263619bc51b0bb0dbf9606a3e16c21629c42f2b7dea2d92ae63d1549746a14fae0be2a4a36cc17a7045987274c
-
Filesize
377KB
MD5ebb81fe7b4c482504ef8440c37d8499f
SHA120495f1c799d129844cd1abc10304ca2dc6b7134
SHA256ea9207d574e744f3cbcad043f491b38d21d8c1ae7424c6a63baa7a2bcd4f7c8c
SHA512267c025f2dbf57c33337ed7a84c4ed032db882263619bc51b0bb0dbf9606a3e16c21629c42f2b7dea2d92ae63d1549746a14fae0be2a4a36cc17a7045987274c
-
Filesize
459KB
MD5807306a54a16be77610e2c15e01c2380
SHA1e80d69d7c26522e43c0236f176dcd2e1f18c13c1
SHA25692594849debc3a2c64032f16ec736282db7ce6e4a8bda9e145f61dd37f0fa6be
SHA51287c63b12b4f3b2ddd61f3399b7303aff10e39d9efcf86bd2828a47b6b2fd906cd1da21bf292c03d559312febafa7cdc81af463c72a5ae76a02de4bddc0a9e006
-
Filesize
459KB
MD5807306a54a16be77610e2c15e01c2380
SHA1e80d69d7c26522e43c0236f176dcd2e1f18c13c1
SHA25692594849debc3a2c64032f16ec736282db7ce6e4a8bda9e145f61dd37f0fa6be
SHA51287c63b12b4f3b2ddd61f3399b7303aff10e39d9efcf86bd2828a47b6b2fd906cd1da21bf292c03d559312febafa7cdc81af463c72a5ae76a02de4bddc0a9e006