Analysis Overview
SHA256
9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d
Threat Level: Known bad
The file 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Reads user/profile data of web browsers
Executes dropped EXE
Windows security modification
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:51
Reported
2023-04-23 23:53
Platform
win10v2004-20230220-en
Max time kernel
60s
Max time network
126s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe | N/A |
Checks installed software on the system
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe
"C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4208 -ip 4208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1340
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 40.77.2.164:443 | tcp | |
| US | 13.89.179.9:443 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe
| MD5 | 82ec6afdd501c9a3c905a8898780e346 |
| SHA1 | aaff301fc96ab46ee46e83a15a3b3b272cdc942a |
| SHA256 | 7e78e6c2ac3add67b6ba629bc39da526e12cd5c4425b4e66282b71636074028c |
| SHA512 | 0589875ab791438dfcea223d03b287a8fc81809ed87805e1fc56a050d9380e040db6624e17e978aecb33b88b90fb54f0c89f2b7ebf3333a193297298e7c79960 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe
| MD5 | 82ec6afdd501c9a3c905a8898780e346 |
| SHA1 | aaff301fc96ab46ee46e83a15a3b3b272cdc942a |
| SHA256 | 7e78e6c2ac3add67b6ba629bc39da526e12cd5c4425b4e66282b71636074028c |
| SHA512 | 0589875ab791438dfcea223d03b287a8fc81809ed87805e1fc56a050d9380e040db6624e17e978aecb33b88b90fb54f0c89f2b7ebf3333a193297298e7c79960 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe
| MD5 | f044fcaeb9896ee1fdb250673ffd63e6 |
| SHA1 | 5955d1441c9160a49e37cf27f0db01490cef87b6 |
| SHA256 | 681980a7ad175640cdbbe69864de16b1bef0645f13e67451548d51a64540bdbe |
| SHA512 | 623200c0c4e5045bfbee376a2e79c92ed988f98c6bac84be0e5799fc981272cbf4460daf8c3c3f854ff2849fb2af1b44ea4a58e7f4bf2a782e3e33ca76b87b8a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe
| MD5 | f044fcaeb9896ee1fdb250673ffd63e6 |
| SHA1 | 5955d1441c9160a49e37cf27f0db01490cef87b6 |
| SHA256 | 681980a7ad175640cdbbe69864de16b1bef0645f13e67451548d51a64540bdbe |
| SHA512 | 623200c0c4e5045bfbee376a2e79c92ed988f98c6bac84be0e5799fc981272cbf4460daf8c3c3f854ff2849fb2af1b44ea4a58e7f4bf2a782e3e33ca76b87b8a |
memory/4208-148-0x0000000007400000-0x00000000079A4000-memory.dmp
memory/4208-149-0x0000000002C80000-0x0000000002CAD000-memory.dmp
memory/4208-150-0x00000000073F0000-0x0000000007400000-memory.dmp
memory/4208-151-0x00000000073F0000-0x0000000007400000-memory.dmp
memory/4208-152-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-155-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-153-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-157-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-159-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-161-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-163-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-165-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-167-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-169-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-171-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-173-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-175-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-177-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-179-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4208-180-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/4208-181-0x00000000073F0000-0x0000000007400000-memory.dmp
memory/4208-183-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe
| MD5 | 2c02b728f5fb060ee8a6fd76046e45cd |
| SHA1 | 998885f23a9539a6c71b43255267f6ce1194819a |
| SHA256 | d00ba9249944a9e3633b03dfcc9ccf5852d0b8c47f9c25b894cdf88152ba1d9d |
| SHA512 | 51de1081544044d3f6ffc97146ce2ed47c637087c8f391edcdc03ee7dd1850027cff0c3c23bd7b032c6e89bc2e8cfc8a2f8d2e1a5a3f2ff21075ad0c6226bbde |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe
| MD5 | 2c02b728f5fb060ee8a6fd76046e45cd |
| SHA1 | 998885f23a9539a6c71b43255267f6ce1194819a |
| SHA256 | d00ba9249944a9e3633b03dfcc9ccf5852d0b8c47f9c25b894cdf88152ba1d9d |
| SHA512 | 51de1081544044d3f6ffc97146ce2ed47c637087c8f391edcdc03ee7dd1850027cff0c3c23bd7b032c6e89bc2e8cfc8a2f8d2e1a5a3f2ff21075ad0c6226bbde |
memory/4628-188-0x0000000002CE0000-0x0000000002D26000-memory.dmp
memory/4628-189-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-191-0x0000000007200000-0x0000000007210000-memory.dmp
memory/4628-190-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-195-0x0000000007200000-0x0000000007210000-memory.dmp
memory/4628-194-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-192-0x0000000007200000-0x0000000007210000-memory.dmp
memory/4628-197-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-199-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-201-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-203-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-205-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-207-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-209-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-211-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-213-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-215-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-217-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-219-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-221-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-223-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-225-0x0000000007190000-0x00000000071C5000-memory.dmp
memory/4628-984-0x0000000009C80000-0x000000000A298000-memory.dmp
memory/4628-985-0x000000000A320000-0x000000000A332000-memory.dmp
memory/4628-986-0x000000000A340000-0x000000000A44A000-memory.dmp
memory/4628-987-0x000000000A460000-0x000000000A49C000-memory.dmp
memory/4628-988-0x0000000007200000-0x0000000007210000-memory.dmp
memory/4628-989-0x000000000A760000-0x000000000A7C6000-memory.dmp
memory/4628-990-0x000000000AE20000-0x000000000AEB2000-memory.dmp
memory/4628-991-0x000000000AFF0000-0x000000000B066000-memory.dmp
memory/4628-992-0x000000000B0D0000-0x000000000B292000-memory.dmp
memory/4628-993-0x000000000B2A0000-0x000000000B7CC000-memory.dmp
memory/4628-995-0x000000000B8E0000-0x000000000B8FE000-memory.dmp
memory/4628-996-0x0000000006B50000-0x0000000006BA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/1500-1002-0x00000000009D0000-0x00000000009F8000-memory.dmp
memory/1500-1003-0x0000000007A60000-0x0000000007A70000-memory.dmp