Analysis
-
max time kernel
54s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
26/04/2023, 17:05
Static task
static1
General
-
Target
ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe
-
Size
697KB
-
MD5
6efc55934592cb8a85fa3a83f993e28b
-
SHA1
6cee545cc11d14da88aefae0cde0ad44eaee2940
-
SHA256
ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355
-
SHA512
d21b01eb3020aae0fed567e1845ab88c521b54c8ed6df7823cb32198710f076605a7cf95958191e0c003f89e07a08e1249c560cf29490fe20f033410f4764a9f
-
SSDEEP
12288:ty90fnQ4MUmOE9EQxywvAj9ujjNNCaW3EwXldSVhhYWj57vlzO:ty/4xc9EQxyLYjBmZXlQnnfzO
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 69072912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 69072912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 69072912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 69072912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 69072912.exe -
Executes dropped EXE 4 IoCs
pid Process 1556 un039840.exe 2312 69072912.exe 1428 rk859349.exe 4052 si596767.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 69072912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 69072912.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un039840.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un039840.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2312 69072912.exe 2312 69072912.exe 1428 rk859349.exe 1428 rk859349.exe 4052 si596767.exe 4052 si596767.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2312 69072912.exe Token: SeDebugPrivilege 1428 rk859349.exe Token: SeDebugPrivilege 4052 si596767.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1836 wrote to memory of 1556 1836 ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe 66 PID 1836 wrote to memory of 1556 1836 ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe 66 PID 1836 wrote to memory of 1556 1836 ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe 66 PID 1556 wrote to memory of 2312 1556 un039840.exe 67 PID 1556 wrote to memory of 2312 1556 un039840.exe 67 PID 1556 wrote to memory of 2312 1556 un039840.exe 67 PID 1556 wrote to memory of 1428 1556 un039840.exe 68 PID 1556 wrote to memory of 1428 1556 un039840.exe 68 PID 1556 wrote to memory of 1428 1556 un039840.exe 68 PID 1836 wrote to memory of 4052 1836 ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe 70 PID 1836 wrote to memory of 4052 1836 ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe 70 PID 1836 wrote to memory of 4052 1836 ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe"C:\Users\Admin\AppData\Local\Temp\ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un039840.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un039840.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\69072912.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\69072912.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859349.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859349.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si596767.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si596767.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
542KB
MD595de9bc57944caa7d11e546c1ca89d6b
SHA13f5de289e52313a924836e77a80b5f877d583b84
SHA25602fa75eb5e34fc192926f82b85cc0b829fa58751cc5ea800df61285420d7178d
SHA51263a25a1eca8b77a65ef789d0f5132798967d3be5d689b9094167036b7b0a7f0fa5326f46dbb28c1183aaba4a0b8d4c75fa44be9fa578ff415c9b78f1eb447246
-
Filesize
542KB
MD595de9bc57944caa7d11e546c1ca89d6b
SHA13f5de289e52313a924836e77a80b5f877d583b84
SHA25602fa75eb5e34fc192926f82b85cc0b829fa58751cc5ea800df61285420d7178d
SHA51263a25a1eca8b77a65ef789d0f5132798967d3be5d689b9094167036b7b0a7f0fa5326f46dbb28c1183aaba4a0b8d4c75fa44be9fa578ff415c9b78f1eb447246
-
Filesize
263KB
MD5872e0454fee70310ccfe1b94b13cfa7b
SHA17a5ecac3fd09c5953ab3c00565eb44b88c52860f
SHA25648db4f6ecbac38e315f4159056f5addf427f4769bc3f539f48721566ce56a4c8
SHA512f84597d292e14a0ad8d968606096b23b12090c5af6dcdde451fe7962edc3a1dd791b64603f9a5206386919e548e4a984ae407512ca17144d3a501ba07f1ec208
-
Filesize
263KB
MD5872e0454fee70310ccfe1b94b13cfa7b
SHA17a5ecac3fd09c5953ab3c00565eb44b88c52860f
SHA25648db4f6ecbac38e315f4159056f5addf427f4769bc3f539f48721566ce56a4c8
SHA512f84597d292e14a0ad8d968606096b23b12090c5af6dcdde451fe7962edc3a1dd791b64603f9a5206386919e548e4a984ae407512ca17144d3a501ba07f1ec208
-
Filesize
328KB
MD549413204f477a7b87e6ee8781d5bc523
SHA12aa8c3acc2bde76e60c55e44efe4acc3781ec519
SHA256aa1c0631059ce7c8c6cdb17fd27fe38aae1c0f8aedffb4a9f9fc76c58bf7ac73
SHA512249150fd49c26c124235c73b0b2e5eba9ecefd3a221b2bb91ad3fcc5e3472660434c64681fbd2484964d312fcfd0c67852b6c6f7994a92305e2697051420dbc3
-
Filesize
328KB
MD549413204f477a7b87e6ee8781d5bc523
SHA12aa8c3acc2bde76e60c55e44efe4acc3781ec519
SHA256aa1c0631059ce7c8c6cdb17fd27fe38aae1c0f8aedffb4a9f9fc76c58bf7ac73
SHA512249150fd49c26c124235c73b0b2e5eba9ecefd3a221b2bb91ad3fcc5e3472660434c64681fbd2484964d312fcfd0c67852b6c6f7994a92305e2697051420dbc3