Analysis Overview
SHA256
0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486
Threat Level: Known bad
The file 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Reads user/profile data of web browsers
Windows security modification
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Launches sc.exe
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:40
Reported
2023-04-23 23:43
Platform
win10v2004-20230221-en
Max time kernel
141s
Max time network
126s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe | N/A |
Checks installed software on the system
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe
"C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2036 -ip 2036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1344
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 117.18.237.29:80 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 40.77.2.164:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 52.168.112.66:443 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe
| MD5 | 3716070e9cf82b326e533cb2b251ae06 |
| SHA1 | 0cb712593323fca6d0637028629c9104e179eb0b |
| SHA256 | 0e00246e7fbc2943d3895655ed324d8b1c64002eec03494bef9b779acf5b03cb |
| SHA512 | 52a831d50ec46e504da4a7c74b84464ed6698c2271e5266e19e37c68d8277351639777795cfbbe26fe6f37fe65d7fb3a07959385136a81138ccc88ceffab6a5c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe
| MD5 | 3716070e9cf82b326e533cb2b251ae06 |
| SHA1 | 0cb712593323fca6d0637028629c9104e179eb0b |
| SHA256 | 0e00246e7fbc2943d3895655ed324d8b1c64002eec03494bef9b779acf5b03cb |
| SHA512 | 52a831d50ec46e504da4a7c74b84464ed6698c2271e5266e19e37c68d8277351639777795cfbbe26fe6f37fe65d7fb3a07959385136a81138ccc88ceffab6a5c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe
| MD5 | 11e72c2a4887cd2e6f90623db124f4dc |
| SHA1 | 68b89e8ad8859959ffe8c9f06134b623d340f9cb |
| SHA256 | 2bd8922b86b99725d39f2b0c9411656306a0589f534000b6c663cb719480d96f |
| SHA512 | 3baffcc65815baaaa24c0444406111f6a4f4e55b2eb626254485083e804980a33c3582017b2124136d5212214d67ef51edd4c015ff6b98b65ae05931b431a7e3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe
| MD5 | 11e72c2a4887cd2e6f90623db124f4dc |
| SHA1 | 68b89e8ad8859959ffe8c9f06134b623d340f9cb |
| SHA256 | 2bd8922b86b99725d39f2b0c9411656306a0589f534000b6c663cb719480d96f |
| SHA512 | 3baffcc65815baaaa24c0444406111f6a4f4e55b2eb626254485083e804980a33c3582017b2124136d5212214d67ef51edd4c015ff6b98b65ae05931b431a7e3 |
memory/2036-148-0x0000000007290000-0x0000000007834000-memory.dmp
memory/2036-149-0x0000000002BB0000-0x0000000002BDD000-memory.dmp
memory/2036-150-0x0000000007280000-0x0000000007290000-memory.dmp
memory/2036-151-0x0000000007280000-0x0000000007290000-memory.dmp
memory/2036-152-0x0000000007280000-0x0000000007290000-memory.dmp
memory/2036-153-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-156-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-154-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-158-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-160-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-162-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-164-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-166-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-168-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-170-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-172-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-174-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-176-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-178-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-180-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/2036-181-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/2036-182-0x0000000007280000-0x0000000007290000-memory.dmp
memory/2036-183-0x0000000007280000-0x0000000007290000-memory.dmp
memory/2036-184-0x0000000007280000-0x0000000007290000-memory.dmp
memory/2036-186-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe
| MD5 | eadd8ff67f7fd246be33d6a1a5cedbc8 |
| SHA1 | 946299436c436942683bf78b6e2a45098077411e |
| SHA256 | 7a5278fb7f31f95af5a0cd775707fbcb6b6dd61b915405a996127643d5892af5 |
| SHA512 | c28fce2a0833fe3cea3dca39ab0e0a1ba9b10dc41f6f1343187fd50b7d799aac491b8884b75ae25d36a0f258c02dfacbb00d8e4931f77356a622036ed2aaf073 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe
| MD5 | eadd8ff67f7fd246be33d6a1a5cedbc8 |
| SHA1 | 946299436c436942683bf78b6e2a45098077411e |
| SHA256 | 7a5278fb7f31f95af5a0cd775707fbcb6b6dd61b915405a996127643d5892af5 |
| SHA512 | c28fce2a0833fe3cea3dca39ab0e0a1ba9b10dc41f6f1343187fd50b7d799aac491b8884b75ae25d36a0f258c02dfacbb00d8e4931f77356a622036ed2aaf073 |
memory/3836-191-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-192-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-194-0x0000000002CC0000-0x0000000002D06000-memory.dmp
memory/3836-197-0x0000000007340000-0x0000000007350000-memory.dmp
memory/3836-199-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-200-0x0000000007340000-0x0000000007350000-memory.dmp
memory/3836-198-0x0000000007340000-0x0000000007350000-memory.dmp
memory/3836-202-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-195-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-204-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-206-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-208-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-210-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-214-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-212-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-216-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-218-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-220-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-222-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-224-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-226-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-228-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3836-987-0x0000000009C80000-0x000000000A298000-memory.dmp
memory/3836-988-0x000000000A320000-0x000000000A332000-memory.dmp
memory/3836-989-0x000000000A340000-0x000000000A44A000-memory.dmp
memory/3836-990-0x000000000A460000-0x000000000A49C000-memory.dmp
memory/3836-991-0x0000000007340000-0x0000000007350000-memory.dmp
memory/3836-992-0x000000000A760000-0x000000000A7C6000-memory.dmp
memory/3836-993-0x000000000AE20000-0x000000000AEB2000-memory.dmp
memory/3836-994-0x000000000AFE0000-0x000000000B030000-memory.dmp
memory/3836-995-0x000000000B040000-0x000000000B0B6000-memory.dmp
memory/3836-996-0x000000000B120000-0x000000000B2E2000-memory.dmp
memory/3836-997-0x000000000B300000-0x000000000B82C000-memory.dmp
memory/3836-998-0x000000000B930000-0x000000000B94E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/740-1004-0x0000000000020000-0x0000000000048000-memory.dmp
memory/740-1005-0x0000000006E50000-0x0000000006E60000-memory.dmp