Analysis Overview
SHA256
dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095
Threat Level: Known bad
The file dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095 was found to be: Known bad.
Malicious Activity Summary
RedLine
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-13 15:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-13 15:09
Reported
2023-02-13 15:11
Platform
win10-20220812-en
Max time kernel
56s
Max time network
146s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe | N/A |
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe | N/A |
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe
"C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe
Network
| Country | Destination | Domain | Proto |
| DE | 193.233.20.12:4132 | tcp | |
| RU | 176.113.115.17:4132 | tcp | |
| IE | 20.50.73.9:443 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/2360-120-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-121-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-122-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-123-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-124-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-125-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-126-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-127-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-128-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-129-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-130-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-131-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-132-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-133-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-134-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-135-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-136-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-137-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-138-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-139-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-140-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-141-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-142-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-143-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-144-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-145-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-146-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-148-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-147-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-149-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-150-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-151-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-152-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-153-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-154-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-155-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-156-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-157-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-159-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-160-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-158-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-161-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-162-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-163-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-164-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/2360-165-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-168-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-170-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-171-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-172-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-175-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-177-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-179-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-181-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-182-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-180-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-178-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-184-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-185-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-186-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-183-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-176-0x00000000776F0000-0x000000007787E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe
| MD5 | d901c40d66f39ce57245aebcc139a5ad |
| SHA1 | 0cdfe58bce9a8c9abedc65610c744383406f8ede |
| SHA256 | bd87b9d04c03d49359727f4d60bc77f1de2411ff7b619dc593c18dabf9ef4c09 |
| SHA512 | 4a5a66abe4db90bf14034113bcaf383a264fafbf1cfa236afb427acb9d0e45c07f73e47cc9b9c8f5ec111a1e5c5a00ae3f9ea2b24a061a05b2961824c05839ed |
memory/4556-173-0x00000000776F0000-0x000000007787E000-memory.dmp
memory/4556-169-0x00000000776F0000-0x000000007787E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe
| MD5 | d901c40d66f39ce57245aebcc139a5ad |
| SHA1 | 0cdfe58bce9a8c9abedc65610c744383406f8ede |
| SHA256 | bd87b9d04c03d49359727f4d60bc77f1de2411ff7b619dc593c18dabf9ef4c09 |
| SHA512 | 4a5a66abe4db90bf14034113bcaf383a264fafbf1cfa236afb427acb9d0e45c07f73e47cc9b9c8f5ec111a1e5c5a00ae3f9ea2b24a061a05b2961824c05839ed |
memory/4556-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe
| MD5 | da6f3bef8abc85bd09f50783059964e3 |
| SHA1 | a0f25f60ec1896c4c920ea397f40e6ce29724322 |
| SHA256 | e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b |
| SHA512 | 4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec |
memory/1416-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe
| MD5 | da6f3bef8abc85bd09f50783059964e3 |
| SHA1 | a0f25f60ec1896c4c920ea397f40e6ce29724322 |
| SHA256 | e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b |
| SHA512 | 4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec |
memory/1416-265-0x0000000000070000-0x00000000000A2000-memory.dmp
memory/1416-278-0x0000000004E10000-0x0000000005416000-memory.dmp
memory/1416-279-0x00000000049A0000-0x0000000004AAA000-memory.dmp
memory/1416-281-0x00000000048D0000-0x00000000048E2000-memory.dmp
memory/1416-283-0x0000000004930000-0x000000000496E000-memory.dmp
memory/1416-285-0x0000000004AB0000-0x0000000004AFB000-memory.dmp
memory/1416-290-0x0000000004CA0000-0x0000000004D06000-memory.dmp
memory/1416-298-0x0000000005B20000-0x000000000601E000-memory.dmp
memory/1416-299-0x0000000005810000-0x00000000058A2000-memory.dmp
memory/1416-301-0x00000000058B0000-0x0000000005926000-memory.dmp
memory/1416-302-0x0000000005930000-0x0000000005980000-memory.dmp
memory/1416-303-0x00000000061F0000-0x00000000063B2000-memory.dmp
memory/1416-304-0x00000000068F0000-0x0000000006E1C000-memory.dmp
memory/2928-312-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe
| MD5 | 062a3c73b1aaf076abefd71633b66de5 |
| SHA1 | e4b7e004c32d673fd61b1669c797dc4b207d8445 |
| SHA256 | f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881 |
| SHA512 | 6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe
| MD5 | 062a3c73b1aaf076abefd71633b66de5 |
| SHA1 | e4b7e004c32d673fd61b1669c797dc4b207d8445 |
| SHA256 | f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881 |
| SHA512 | 6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3 |
memory/2928-362-0x0000000000480000-0x00000000004B2000-memory.dmp
memory/4724-397-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe
| MD5 | 1dfaea61e3959f902a94287e95ee6824 |
| SHA1 | a303be2ea1744692c8bf527568100d2182ddf58a |
| SHA256 | 1054db02a2bf17fa18d0f4422f9fa62893cd437bdb74d31225643b7c0c1861e6 |
| SHA512 | c69619f34be5345efd95a91d5771564651e521ff5cccad9b5ce694eed982344539bbfcb9f39bae0208b4a62c9215ca82f254715606a99cedabdf47ad0dcf7dd3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe
| MD5 | 1dfaea61e3959f902a94287e95ee6824 |
| SHA1 | a303be2ea1744692c8bf527568100d2182ddf58a |
| SHA256 | 1054db02a2bf17fa18d0f4422f9fa62893cd437bdb74d31225643b7c0c1861e6 |
| SHA512 | c69619f34be5345efd95a91d5771564651e521ff5cccad9b5ce694eed982344539bbfcb9f39bae0208b4a62c9215ca82f254715606a99cedabdf47ad0dcf7dd3 |
memory/4724-453-0x0000000000B60000-0x0000000000B7A000-memory.dmp
memory/4724-458-0x00000000022D0000-0x00000000022E8000-memory.dmp
memory/4724-460-0x00000000008F1000-0x0000000000911000-memory.dmp
memory/4724-461-0x00000000001D0000-0x00000000001FD000-memory.dmp
memory/4724-463-0x0000000000400000-0x000000000056B000-memory.dmp
memory/4724-464-0x00000000008F1000-0x0000000000911000-memory.dmp
memory/4724-466-0x00000000008F1000-0x0000000000911000-memory.dmp
memory/4724-467-0x0000000000400000-0x000000000056B000-memory.dmp