Analysis
-
max time kernel
91s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2023, 11:27
Static task
static1
General
-
Target
14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe
-
Size
695KB
-
MD5
e8bfb84daa6546c7bfd202c4749f6b00
-
SHA1
9ac08258a6492a30881d166744a2d185c6b551c4
-
SHA256
14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f
-
SHA512
9cc6597e7d7b87ecde443063230022bbf2b71c7e251d11be287982d27d2b35e514a05228a74cfdb00ab83bb1740b73f39b47e081dec43ba780f2e99a6f012bd8
-
SSDEEP
12288:Ly90C5vk34FXbH0BomiVqDG2XVKKvrMtQKZRhuoHP0iDVe7UN:Ly5A+X7gniVyG2XVKKvgt9jh8+e7UN
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 95969111.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 95969111.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 95969111.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 95969111.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 95969111.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 95969111.exe -
Executes dropped EXE 4 IoCs
pid Process 2860 un946354.exe 3120 95969111.exe 4904 rk176064.exe 4368 si844105.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 95969111.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 95969111.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un946354.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un946354.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1412 3120 WerFault.exe 85 2312 4904 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3120 95969111.exe 3120 95969111.exe 4904 rk176064.exe 4904 rk176064.exe 4368 si844105.exe 4368 si844105.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3120 95969111.exe Token: SeDebugPrivilege 4904 rk176064.exe Token: SeDebugPrivilege 4368 si844105.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2796 wrote to memory of 2860 2796 14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe 84 PID 2796 wrote to memory of 2860 2796 14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe 84 PID 2796 wrote to memory of 2860 2796 14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe 84 PID 2860 wrote to memory of 3120 2860 un946354.exe 85 PID 2860 wrote to memory of 3120 2860 un946354.exe 85 PID 2860 wrote to memory of 3120 2860 un946354.exe 85 PID 2860 wrote to memory of 4904 2860 un946354.exe 94 PID 2860 wrote to memory of 4904 2860 un946354.exe 94 PID 2860 wrote to memory of 4904 2860 un946354.exe 94 PID 2796 wrote to memory of 4368 2796 14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe 99 PID 2796 wrote to memory of 4368 2796 14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe 99 PID 2796 wrote to memory of 4368 2796 14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe"C:\Users\Admin\AppData\Local\Temp\14faf704c4cae1957c53828f8ef8a66b28389bc27b2c059708e7d38d1617739f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946354.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946354.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95969111.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95969111.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 10804⤵
- Program crash
PID:1412
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk176064.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk176064.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 19564⤵
- Program crash
PID:2312
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si844105.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si844105.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3120 -ip 31201⤵PID:3348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4904 -ip 49041⤵PID:2576
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
541KB
MD584aad916c6045af4d5420a5d0a393dde
SHA1ff425f93a1c51b5e12f6c50ca8fdfef3ff0ba9a2
SHA2562a4a89f62149b01b8238ab3c65a99469a6488de58481c2d18040a0fe23e45c26
SHA5120aceefb775855ee1fe4adc516eb9da6e76dba890bb4f0f18aadc3f050644cad1c8559d94d41ca212c93f4fbe21c003c47e1d9599ddcbef7ecd14aa0ad1df8ced
-
Filesize
541KB
MD584aad916c6045af4d5420a5d0a393dde
SHA1ff425f93a1c51b5e12f6c50ca8fdfef3ff0ba9a2
SHA2562a4a89f62149b01b8238ab3c65a99469a6488de58481c2d18040a0fe23e45c26
SHA5120aceefb775855ee1fe4adc516eb9da6e76dba890bb4f0f18aadc3f050644cad1c8559d94d41ca212c93f4fbe21c003c47e1d9599ddcbef7ecd14aa0ad1df8ced
-
Filesize
264KB
MD5b6ca2877de211c35cfa0cfaf7ec1b840
SHA144f3fd8328d6da5d32cf2ade2711effb052fa0af
SHA2560f14ea84020d97c5393f4a5519de701884f9e5c37522b53170c938f0c73aaa56
SHA512506e80eba3f86002b2536067876cff78badd125902dccc456e7fd75f8c343553ca471c8def5fed8da7a516275f6c197b7c0099f6c118073db198758a04180312
-
Filesize
264KB
MD5b6ca2877de211c35cfa0cfaf7ec1b840
SHA144f3fd8328d6da5d32cf2ade2711effb052fa0af
SHA2560f14ea84020d97c5393f4a5519de701884f9e5c37522b53170c938f0c73aaa56
SHA512506e80eba3f86002b2536067876cff78badd125902dccc456e7fd75f8c343553ca471c8def5fed8da7a516275f6c197b7c0099f6c118073db198758a04180312
-
Filesize
348KB
MD57fb8c98aebdaa0edbc1a65b603cb54c9
SHA109073f1fe40b15624c0a6858642f9b4cf4d6b539
SHA256147dec51939a499ff1f1e641f70342e95a2f192034417fdc9837e2b2bede37a1
SHA51247c188197adb443988c80b95c0abdf3b44d46952d16e7da9516aace10e4dd6ce7a248e691546550ac4f8d9906c7f380da4c55e8640974c45c182b026441f6288
-
Filesize
348KB
MD57fb8c98aebdaa0edbc1a65b603cb54c9
SHA109073f1fe40b15624c0a6858642f9b4cf4d6b539
SHA256147dec51939a499ff1f1e641f70342e95a2f192034417fdc9837e2b2bede37a1
SHA51247c188197adb443988c80b95c0abdf3b44d46952d16e7da9516aace10e4dd6ce7a248e691546550ac4f8d9906c7f380da4c55e8640974c45c182b026441f6288