Analysis Overview
SHA256
a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856
Threat Level: Known bad
The file a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Reads user/profile data of web browsers
Windows security modification
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:47
Reported
2023-04-23 23:49
Platform
win10-20230220-en
Max time kernel
54s
Max time network
72s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe | N/A |
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe
"C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 20.189.173.12:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe
| MD5 | 5151982b85228606a718116d4790f4d0 |
| SHA1 | c73b79689d5b810f1ff7556da0a7f2da91a2f3fa |
| SHA256 | 67209925b30d7ff6935c209341ad3b7f070e26ee17753fc4ce3775d9664a418b |
| SHA512 | 23ecf0aa325c649d1b611f3cecdaeb2e3d51ac023ad4ad9ab237406f22d74ecc8d69fa73f1571ecdd425a09fe3d4e2225672a8e218647f9f6653a66b4ffcea3e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe
| MD5 | 5151982b85228606a718116d4790f4d0 |
| SHA1 | c73b79689d5b810f1ff7556da0a7f2da91a2f3fa |
| SHA256 | 67209925b30d7ff6935c209341ad3b7f070e26ee17753fc4ce3775d9664a418b |
| SHA512 | 23ecf0aa325c649d1b611f3cecdaeb2e3d51ac023ad4ad9ab237406f22d74ecc8d69fa73f1571ecdd425a09fe3d4e2225672a8e218647f9f6653a66b4ffcea3e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3748-134-0x00000000000F0000-0x00000000000FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe
| MD5 | e090763a72c191b237f19756229c5ee0 |
| SHA1 | 4508610e7c287ba7b52eef6119d8a5ad8e32c7c8 |
| SHA256 | 56746625235f6431dc5565ce6fadb6595f495acb6691ac429d3ca3a5eddd0a39 |
| SHA512 | 7eef90551480d92b150b741076469d2cb0353f76d0e01161521dd89e050eefc57e449e39ddd4f15e9b3fda857e5ac426fffdb723645df471c4251cc2872df5b5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe
| MD5 | e090763a72c191b237f19756229c5ee0 |
| SHA1 | 4508610e7c287ba7b52eef6119d8a5ad8e32c7c8 |
| SHA256 | 56746625235f6431dc5565ce6fadb6595f495acb6691ac429d3ca3a5eddd0a39 |
| SHA512 | 7eef90551480d92b150b741076469d2cb0353f76d0e01161521dd89e050eefc57e449e39ddd4f15e9b3fda857e5ac426fffdb723645df471c4251cc2872df5b5 |
memory/4140-140-0x0000000004AE0000-0x0000000004B1C000-memory.dmp
memory/4140-141-0x0000000002BD0000-0x0000000002C16000-memory.dmp
memory/4140-142-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/4140-143-0x0000000007150000-0x000000000764E000-memory.dmp
memory/4140-144-0x0000000007690000-0x00000000076CA000-memory.dmp
memory/4140-145-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-146-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-148-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-150-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-152-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-154-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-156-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-158-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-160-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-162-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-164-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-166-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-168-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-170-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-172-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-174-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-176-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-178-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-180-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-182-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-184-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-186-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-187-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/4140-190-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/4140-189-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-192-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-194-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-196-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-198-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-200-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-202-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-204-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-206-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-208-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-210-0x0000000007690000-0x00000000076C5000-memory.dmp
memory/4140-939-0x000000000A1A0000-0x000000000A7A6000-memory.dmp
memory/4140-940-0x0000000009C00000-0x0000000009C12000-memory.dmp
memory/4140-941-0x0000000009C30000-0x0000000009D3A000-memory.dmp
memory/4140-942-0x0000000009D50000-0x0000000009D8E000-memory.dmp
memory/4140-943-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/4140-944-0x0000000009ED0000-0x0000000009F1B000-memory.dmp
memory/4140-945-0x000000000A060000-0x000000000A0C6000-memory.dmp
memory/4140-946-0x000000000AD20000-0x000000000ADB2000-memory.dmp
memory/4140-947-0x000000000ADE0000-0x000000000AE56000-memory.dmp
memory/4140-948-0x000000000AEB0000-0x000000000B072000-memory.dmp
memory/4140-949-0x000000000B090000-0x000000000B5BC000-memory.dmp
memory/4140-950-0x000000000B6D0000-0x000000000B6EE000-memory.dmp
memory/4140-951-0x0000000006CB0000-0x0000000006D00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/2608-957-0x00000000002D0000-0x00000000002F8000-memory.dmp
memory/2608-958-0x0000000007050000-0x000000000709B000-memory.dmp
memory/2608-959-0x0000000007340000-0x0000000007350000-memory.dmp