Analysis Overview
SHA256
54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177
Threat Level: Known bad
The file 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Reads user/profile data of web browsers
Windows security modification
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Adds Run key to start application
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:43
Reported
2023-04-23 23:46
Platform
win10v2004-20230220-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe | N/A |
Checks installed software on the system
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe
"C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4152 -ip 4152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3256 -ip 3256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 1320
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 52.109.8.86:443 | tcp | |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe
| MD5 | 0e21a29d5c7408ee418d9fcd97584925 |
| SHA1 | 7c40c2c58f2654a2967eb73bbd64775781be0831 |
| SHA256 | 129661b1ec5ea757822a11632de2218bb45ab9d4bd2d72eb6ec42a74c5b239b5 |
| SHA512 | 8e74c4cee3a682545560b8eca44c16623676f2ea4c3d261b380cb6ce8da78287fd2503b4ae773c7cda7bf3c92e98a9b9f65b7cd12f7575e96ac33c6cef5432eb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe
| MD5 | 0e21a29d5c7408ee418d9fcd97584925 |
| SHA1 | 7c40c2c58f2654a2967eb73bbd64775781be0831 |
| SHA256 | 129661b1ec5ea757822a11632de2218bb45ab9d4bd2d72eb6ec42a74c5b239b5 |
| SHA512 | 8e74c4cee3a682545560b8eca44c16623676f2ea4c3d261b380cb6ce8da78287fd2503b4ae773c7cda7bf3c92e98a9b9f65b7cd12f7575e96ac33c6cef5432eb |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe
| MD5 | f5fbfbfccbbacf005cf34c129effc205 |
| SHA1 | 3878229f07d89c75d64066c0561c7d2196144e9d |
| SHA256 | c24bc9c5229b5ded0fbf35a0e9fee72a807d63d815b12ac9dd4482df462a87f3 |
| SHA512 | 2e8e30cab3d1d97a6f41f633aa9f991caf7ec1175afeb5caeb6a2484baaa7088a908160955c364e4629241cb8b40aa7a945dc61086cae900ac0ab3b26d4fdfee |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe
| MD5 | f5fbfbfccbbacf005cf34c129effc205 |
| SHA1 | 3878229f07d89c75d64066c0561c7d2196144e9d |
| SHA256 | c24bc9c5229b5ded0fbf35a0e9fee72a807d63d815b12ac9dd4482df462a87f3 |
| SHA512 | 2e8e30cab3d1d97a6f41f633aa9f991caf7ec1175afeb5caeb6a2484baaa7088a908160955c364e4629241cb8b40aa7a945dc61086cae900ac0ab3b26d4fdfee |
memory/4152-148-0x0000000002C80000-0x0000000002CAD000-memory.dmp
memory/4152-149-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/4152-150-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/4152-151-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/4152-152-0x0000000007300000-0x00000000078A4000-memory.dmp
memory/4152-153-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-154-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-156-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-158-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-160-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-162-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-164-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-172-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-174-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-170-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-168-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-166-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-176-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-178-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-180-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
memory/4152-181-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/4152-183-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/4152-182-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/4152-184-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/4152-186-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe
| MD5 | 13a9c82af38ddf94bc6f2a30af71d7a4 |
| SHA1 | e080b8f66e1c736ed78aae2040abcae2245282ba |
| SHA256 | aa1095d1c0aa6acabde596cb96991da56be53d8b4ed7ee22474cbedcbb140cc6 |
| SHA512 | ae6685adba118d1522a8882825005b9ef989e968b8996e48339af4d421f9efe8cee7d995a243f7b1baebab25f60e22fb2f106d90228ebddb90d6b64e8a30d91c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe
| MD5 | 13a9c82af38ddf94bc6f2a30af71d7a4 |
| SHA1 | e080b8f66e1c736ed78aae2040abcae2245282ba |
| SHA256 | aa1095d1c0aa6acabde596cb96991da56be53d8b4ed7ee22474cbedcbb140cc6 |
| SHA512 | ae6685adba118d1522a8882825005b9ef989e968b8996e48339af4d421f9efe8cee7d995a243f7b1baebab25f60e22fb2f106d90228ebddb90d6b64e8a30d91c |
memory/3256-191-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-192-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-194-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-196-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-198-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-200-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-202-0x0000000002CA0000-0x0000000002CE6000-memory.dmp
memory/3256-204-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-203-0x0000000007320000-0x0000000007330000-memory.dmp
memory/3256-205-0x0000000007320000-0x0000000007330000-memory.dmp
memory/3256-208-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-207-0x0000000007320000-0x0000000007330000-memory.dmp
memory/3256-210-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-212-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-214-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-216-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-218-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-220-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-222-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-224-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-226-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-228-0x0000000004B70000-0x0000000004BA5000-memory.dmp
memory/3256-987-0x0000000009C60000-0x000000000A278000-memory.dmp
memory/3256-988-0x000000000A320000-0x000000000A332000-memory.dmp
memory/3256-989-0x000000000A340000-0x000000000A44A000-memory.dmp
memory/3256-990-0x000000000A460000-0x000000000A49C000-memory.dmp
memory/3256-991-0x0000000007320000-0x0000000007330000-memory.dmp
memory/3256-992-0x000000000A760000-0x000000000A7C6000-memory.dmp
memory/3256-993-0x000000000AE30000-0x000000000AEC2000-memory.dmp
memory/3256-994-0x000000000AEE0000-0x000000000AF30000-memory.dmp
memory/3256-995-0x000000000AF40000-0x000000000AFB6000-memory.dmp
memory/3256-996-0x000000000B120000-0x000000000B2E2000-memory.dmp
memory/3256-997-0x000000000B300000-0x000000000B82C000-memory.dmp
memory/3256-998-0x000000000B930000-0x000000000B94E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/3592-1005-0x0000000000440000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/3592-1006-0x00000000074C0000-0x00000000074D0000-memory.dmp