Analysis Overview
SHA256
cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06
Threat Level: Known bad
The file cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:46
Reported
2023-04-23 23:48
Platform
win10-20230220-en
Max time kernel
56s
Max time network
60s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe | N/A |
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe
"C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe
| MD5 | c332b51782cb7cf1d27e6b3605b419aa |
| SHA1 | 007ffecc0c769c8f7aa7c4ee761bb0037106192e |
| SHA256 | 97eb4b0018aa7b9c6f8f8814b3d4f89eee13054a6ad613701e32597edbc18226 |
| SHA512 | b6d7f172f70a8ee50028e1e47962fbc9a560888d67deaed7de91befd9296427f2ceaf1cb97603a2b944e097755b80cebaa4ab232fb868401907b877b8a5e46b3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe
| MD5 | c332b51782cb7cf1d27e6b3605b419aa |
| SHA1 | 007ffecc0c769c8f7aa7c4ee761bb0037106192e |
| SHA256 | 97eb4b0018aa7b9c6f8f8814b3d4f89eee13054a6ad613701e32597edbc18226 |
| SHA512 | b6d7f172f70a8ee50028e1e47962fbc9a560888d67deaed7de91befd9296427f2ceaf1cb97603a2b944e097755b80cebaa4ab232fb868401907b877b8a5e46b3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe
| MD5 | e2e38523ee959ad508786fab77e95adf |
| SHA1 | 374580d357a6c2be50383738c4b6cc8aabe8e09a |
| SHA256 | a8dd6b575680127f553c1f672ab35141ae0a27bd4f6f6880af3e5c0762718a0a |
| SHA512 | 07d3829fbc9ba602d4773949bdf7fdb6dfe9e0beffde66281a25eed7d82bedce08c5b91f7dc4620acc44b53bdab4e5e2b2a1e1a5bfa8746cb4051866c139d809 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe
| MD5 | e2e38523ee959ad508786fab77e95adf |
| SHA1 | 374580d357a6c2be50383738c4b6cc8aabe8e09a |
| SHA256 | a8dd6b575680127f553c1f672ab35141ae0a27bd4f6f6880af3e5c0762718a0a |
| SHA512 | 07d3829fbc9ba602d4773949bdf7fdb6dfe9e0beffde66281a25eed7d82bedce08c5b91f7dc4620acc44b53bdab4e5e2b2a1e1a5bfa8746cb4051866c139d809 |
memory/2812-136-0x0000000004670000-0x000000000468A000-memory.dmp
memory/2812-137-0x0000000007350000-0x000000000784E000-memory.dmp
memory/2812-138-0x00000000047C0000-0x00000000047D8000-memory.dmp
memory/2812-139-0x00000000001D0000-0x00000000001FD000-memory.dmp
memory/2812-140-0x0000000007340000-0x0000000007350000-memory.dmp
memory/2812-143-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-142-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-141-0x0000000007340000-0x0000000007350000-memory.dmp
memory/2812-144-0x0000000007340000-0x0000000007350000-memory.dmp
memory/2812-146-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-150-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-152-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-156-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-162-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-168-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-166-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-170-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-164-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-160-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-158-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-154-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-148-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2812-171-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/2812-174-0x0000000007340000-0x0000000007350000-memory.dmp
memory/2812-175-0x0000000007340000-0x0000000007350000-memory.dmp
memory/2812-173-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/2812-176-0x0000000007340000-0x0000000007350000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe
| MD5 | 8d66a3b8048b0b447154ab28d2e7711d |
| SHA1 | 77b618e270091d30f213aafdd19b40ca67a46691 |
| SHA256 | 7cdfe6e5c611408910f6f418ef987cc38e4018398cfbf3a5e5247132b4d6c7c7 |
| SHA512 | 371badf163248d263a48da4c14048bc7f4b0183035500266d34ab88a29c5219973140029eadf4cd7ba915b203ba8fe9f07d62a32f60036386b477f877fc18335 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe
| MD5 | 8d66a3b8048b0b447154ab28d2e7711d |
| SHA1 | 77b618e270091d30f213aafdd19b40ca67a46691 |
| SHA256 | 7cdfe6e5c611408910f6f418ef987cc38e4018398cfbf3a5e5247132b4d6c7c7 |
| SHA512 | 371badf163248d263a48da4c14048bc7f4b0183035500266d34ab88a29c5219973140029eadf4cd7ba915b203ba8fe9f07d62a32f60036386b477f877fc18335 |
memory/3652-181-0x0000000004890000-0x00000000048CC000-memory.dmp
memory/3652-182-0x0000000004940000-0x000000000497A000-memory.dmp
memory/3652-183-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-184-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-186-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-188-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-190-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-192-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-194-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-196-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-198-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-200-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-202-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-204-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-206-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-210-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-208-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-212-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-216-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-214-0x0000000004940000-0x0000000004975000-memory.dmp
memory/3652-223-0x0000000002E10000-0x0000000002E56000-memory.dmp
memory/3652-225-0x0000000007330000-0x0000000007340000-memory.dmp
memory/3652-227-0x0000000007330000-0x0000000007340000-memory.dmp
memory/3652-978-0x0000000009BC0000-0x000000000A1C6000-memory.dmp
memory/3652-979-0x000000000A210000-0x000000000A222000-memory.dmp
memory/3652-980-0x000000000A240000-0x000000000A34A000-memory.dmp
memory/3652-981-0x000000000A360000-0x000000000A39E000-memory.dmp
memory/3652-982-0x000000000A4E0000-0x000000000A52B000-memory.dmp
memory/3652-983-0x0000000007330000-0x0000000007340000-memory.dmp
memory/3652-984-0x000000000A670000-0x000000000A6D6000-memory.dmp
memory/3652-985-0x000000000AD30000-0x000000000ADC2000-memory.dmp
memory/3652-987-0x000000000B020000-0x000000000B096000-memory.dmp
memory/3652-988-0x000000000B0D0000-0x000000000B0EE000-memory.dmp
memory/3652-989-0x000000000B180000-0x000000000B1D0000-memory.dmp
memory/3652-990-0x000000000B1F0000-0x000000000B3B2000-memory.dmp
memory/3652-991-0x000000000B3C0000-0x000000000B8EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/2500-997-0x0000000000210000-0x0000000000238000-memory.dmp
memory/2500-998-0x0000000006F90000-0x0000000006FDB000-memory.dmp
memory/2500-999-0x00000000072B0000-0x00000000072C0000-memory.dmp