Analysis Overview
SHA256
765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c
Threat Level: Known bad
The file 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:49
Reported
2023-04-23 23:51
Platform
win10-20230220-en
Max time kernel
47s
Max time network
56s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe | N/A |
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe
"C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| NL | 52.178.17.3:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe
| MD5 | 9624984b0c80a4817ddaf7a2fc58b294 |
| SHA1 | d56745ea704ff655d9d8076ae59156a04df437a8 |
| SHA256 | 3c060adcfd9d8d3d51bf9775bc221871cc64547a18240d2bac20d0968c8f2a00 |
| SHA512 | 60b95c75b699747545415c830d17fc22ff875b29a9b76d1d8a1483d2bfbdbd61cd287d80dac03bc530c729ce5c82cd9af7c1b2481d1ac690a69dc675f5a59733 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe
| MD5 | 9624984b0c80a4817ddaf7a2fc58b294 |
| SHA1 | d56745ea704ff655d9d8076ae59156a04df437a8 |
| SHA256 | 3c060adcfd9d8d3d51bf9775bc221871cc64547a18240d2bac20d0968c8f2a00 |
| SHA512 | 60b95c75b699747545415c830d17fc22ff875b29a9b76d1d8a1483d2bfbdbd61cd287d80dac03bc530c729ce5c82cd9af7c1b2481d1ac690a69dc675f5a59733 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2600-135-0x0000000000690000-0x000000000069A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe
| MD5 | 643e9671a5ba78ad1ae8dc24f8d7c70a |
| SHA1 | ce311b668a8b23ac7b3ed5bc44e0653fa07eb3c1 |
| SHA256 | ab97a0dc3fee55085d714eda320aa89d408bae1e9bc5350dcb6f58c61d037a4f |
| SHA512 | 7fa1e804f5a2856c14a6997ff3a20de70d9295ff1be2aaa6e2e9895a8b34b746b6f17ee1680e42251529e70386376ceffcfe14b338fa8ec7696bfd83a59f85e0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe
| MD5 | 643e9671a5ba78ad1ae8dc24f8d7c70a |
| SHA1 | ce311b668a8b23ac7b3ed5bc44e0653fa07eb3c1 |
| SHA256 | ab97a0dc3fee55085d714eda320aa89d408bae1e9bc5350dcb6f58c61d037a4f |
| SHA512 | 7fa1e804f5a2856c14a6997ff3a20de70d9295ff1be2aaa6e2e9895a8b34b746b6f17ee1680e42251529e70386376ceffcfe14b338fa8ec7696bfd83a59f85e0 |
memory/2648-141-0x00000000049D0000-0x0000000004A0C000-memory.dmp
memory/2648-142-0x0000000007300000-0x00000000077FE000-memory.dmp
memory/2648-143-0x0000000004D00000-0x0000000004D3A000-memory.dmp
memory/2648-144-0x0000000002DD0000-0x0000000002E16000-memory.dmp
memory/2648-145-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/2648-146-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/2648-147-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/2648-148-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-149-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-153-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-151-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-159-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-157-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-155-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-161-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-163-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-165-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-171-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-169-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-173-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-167-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-175-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-179-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-181-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-177-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-191-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-197-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-195-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-193-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-203-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-201-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-209-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-207-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-205-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-211-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-199-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-189-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-187-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-185-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-183-0x0000000004D00000-0x0000000004D35000-memory.dmp
memory/2648-940-0x0000000009B80000-0x000000000A186000-memory.dmp
memory/2648-941-0x000000000A210000-0x000000000A222000-memory.dmp
memory/2648-942-0x000000000A240000-0x000000000A34A000-memory.dmp
memory/2648-943-0x000000000A360000-0x000000000A39E000-memory.dmp
memory/2648-944-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/2648-945-0x000000000A4E0000-0x000000000A52B000-memory.dmp
memory/2648-946-0x000000000A670000-0x000000000A6D6000-memory.dmp
memory/2648-947-0x000000000AD20000-0x000000000ADB2000-memory.dmp
memory/2648-948-0x000000000AF10000-0x000000000AF86000-memory.dmp
memory/2648-949-0x000000000AFD0000-0x000000000AFEE000-memory.dmp
memory/2648-950-0x000000000B1A0000-0x000000000B362000-memory.dmp
memory/2648-951-0x000000000B370000-0x000000000B89C000-memory.dmp
memory/2648-952-0x0000000004C60000-0x0000000004CB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/1456-959-0x0000000000C10000-0x0000000000C38000-memory.dmp
memory/1456-960-0x0000000007990000-0x00000000079DB000-memory.dmp
memory/1456-961-0x0000000007C80000-0x0000000007C90000-memory.dmp