Analysis Overview
SHA256
ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc
Threat Level: Known bad
The file ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Reads user/profile data of web browsers
Executes dropped EXE
Windows security modification
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:44
Reported
2023-04-23 23:47
Platform
win10-20230220-en
Max time kernel
52s
Max time network
64s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe | N/A |
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe
"C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| JP | 40.79.197.35:443 | tcp | |
| N/A | 185.161.248.142:38452 | tcp | |
| NL | 8.238.179.126:80 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe
| MD5 | 55381a45a9f8d15d448a44a6fcede0f8 |
| SHA1 | ded5a07d33b22c25350d5acb6a41a51a04a95558 |
| SHA256 | d029051c4a9e3b50f4e83cdaed7f90b9d1258e9c1e39b3231ed7381008ddd44c |
| SHA512 | d95ed6f4292edde714eecc1c374509c5d793c6a8cd51e92792e84decfcef7d7a779c589658da7174d513c9cae6d79898ef4d5d204dcd11a38f54674a1d8bd0f8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe
| MD5 | 55381a45a9f8d15d448a44a6fcede0f8 |
| SHA1 | ded5a07d33b22c25350d5acb6a41a51a04a95558 |
| SHA256 | d029051c4a9e3b50f4e83cdaed7f90b9d1258e9c1e39b3231ed7381008ddd44c |
| SHA512 | d95ed6f4292edde714eecc1c374509c5d793c6a8cd51e92792e84decfcef7d7a779c589658da7174d513c9cae6d79898ef4d5d204dcd11a38f54674a1d8bd0f8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe
| MD5 | c833c4649bfda0bba8decbc9dd1498c4 |
| SHA1 | 087886c86f7c2073a46f8f6ff065308ba16cd1bb |
| SHA256 | ba1d1e52dc70863ceedd09b6be3bb3e4f6ef036d11fe109e550b0f7d7bbf1886 |
| SHA512 | c5e6b1c39850ddba8eeaae7f0456a611788054ab02fc699c5d3fd3b76c90e21d2ff76872b1836da4c7e9b1c26cd54e88a69c166999447c4e35fbb0431be9af53 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe
| MD5 | c833c4649bfda0bba8decbc9dd1498c4 |
| SHA1 | 087886c86f7c2073a46f8f6ff065308ba16cd1bb |
| SHA256 | ba1d1e52dc70863ceedd09b6be3bb3e4f6ef036d11fe109e550b0f7d7bbf1886 |
| SHA512 | c5e6b1c39850ddba8eeaae7f0456a611788054ab02fc699c5d3fd3b76c90e21d2ff76872b1836da4c7e9b1c26cd54e88a69c166999447c4e35fbb0431be9af53 |
memory/2988-136-0x00000000001D0000-0x00000000001FD000-memory.dmp
memory/2988-137-0x0000000002E00000-0x0000000002E1A000-memory.dmp
memory/2988-139-0x0000000007220000-0x0000000007230000-memory.dmp
memory/2988-138-0x0000000007220000-0x0000000007230000-memory.dmp
memory/2988-140-0x0000000007230000-0x000000000772E000-memory.dmp
memory/2988-141-0x00000000070E0000-0x00000000070F8000-memory.dmp
memory/2988-142-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-143-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-145-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-147-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-149-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-151-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-153-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-155-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-157-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-159-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-161-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-163-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-165-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-167-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-169-0x00000000070E0000-0x00000000070F2000-memory.dmp
memory/2988-170-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/2988-172-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe
| MD5 | e43d400926f6323fd3f2ba7e52f94b1d |
| SHA1 | 4ba024e6b9dfef3a61956b37e211429276398519 |
| SHA256 | 5c93d8adb0027838ffc7f2b367f5070710fcbb709bd35f6880782d798425a4b1 |
| SHA512 | 11a9ff5ae70f1c0ad31000e66dfcef28fbdb3b423821448b9aca190bfc3c9e480d92cdcb0e1fedc6227eeac73576e080af1a274fd595f4615f2457851be38f47 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe
| MD5 | e43d400926f6323fd3f2ba7e52f94b1d |
| SHA1 | 4ba024e6b9dfef3a61956b37e211429276398519 |
| SHA256 | 5c93d8adb0027838ffc7f2b367f5070710fcbb709bd35f6880782d798425a4b1 |
| SHA512 | 11a9ff5ae70f1c0ad31000e66dfcef28fbdb3b423821448b9aca190bfc3c9e480d92cdcb0e1fedc6227eeac73576e080af1a274fd595f4615f2457851be38f47 |
memory/2628-177-0x0000000004950000-0x000000000498C000-memory.dmp
memory/2628-178-0x0000000004B20000-0x0000000004B5A000-memory.dmp
memory/2628-179-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-180-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-186-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-184-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-182-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-188-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-190-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-192-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-196-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-194-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-198-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-200-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-202-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-204-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-206-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-208-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-210-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-212-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/2628-302-0x0000000002CA0000-0x0000000002CE6000-memory.dmp
memory/2628-303-0x0000000007430000-0x0000000007440000-memory.dmp
memory/2628-307-0x0000000007430000-0x0000000007440000-memory.dmp
memory/2628-305-0x0000000007430000-0x0000000007440000-memory.dmp
memory/2628-975-0x0000000009CC0000-0x000000000A2C6000-memory.dmp
memory/2628-976-0x0000000007370000-0x0000000007382000-memory.dmp
memory/2628-977-0x000000000A2D0000-0x000000000A3DA000-memory.dmp
memory/2628-979-0x00000000073B0000-0x00000000073EE000-memory.dmp
memory/2628-978-0x0000000007430000-0x0000000007440000-memory.dmp
memory/2628-980-0x000000000A3E0000-0x000000000A42B000-memory.dmp
memory/2628-982-0x000000000A670000-0x000000000A6D6000-memory.dmp
memory/2628-983-0x000000000AD30000-0x000000000ADC2000-memory.dmp
memory/2628-984-0x0000000007430000-0x0000000007440000-memory.dmp
memory/2628-985-0x0000000007430000-0x0000000007440000-memory.dmp
memory/2628-986-0x0000000007430000-0x0000000007440000-memory.dmp
memory/2628-987-0x000000000AEE0000-0x000000000AF56000-memory.dmp
memory/2628-988-0x000000000AF90000-0x000000000AFAE000-memory.dmp
memory/2628-989-0x000000000B060000-0x000000000B222000-memory.dmp
memory/2628-990-0x000000000B230000-0x000000000B75C000-memory.dmp
memory/2628-991-0x0000000007430000-0x0000000007440000-memory.dmp
memory/2628-992-0x0000000002F50000-0x0000000002FA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/3892-998-0x0000000000040000-0x0000000000068000-memory.dmp
memory/3892-999-0x0000000006DF0000-0x0000000006E3B000-memory.dmp
memory/3892-1000-0x0000000006D60000-0x0000000006D70000-memory.dmp