Analysis Overview
SHA256
074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e
Threat Level: Known bad
The file 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:50
Reported
2023-04-23 23:52
Platform
win10-20230220-en
Max time kernel
54s
Max time network
71s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe | N/A |
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe
"C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 20.189.173.12:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe
| MD5 | 592280f75e4c1d6252c30fcd978b428b |
| SHA1 | 6590d2b253f55789079e2fcfedb2d2d0cf8ed919 |
| SHA256 | 35009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351 |
| SHA512 | 564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe
| MD5 | 592280f75e4c1d6252c30fcd978b428b |
| SHA1 | 6590d2b253f55789079e2fcfedb2d2d0cf8ed919 |
| SHA256 | 35009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351 |
| SHA512 | 564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe
| MD5 | ea129ae4e2eec913a0abb8a1860e383d |
| SHA1 | cc11444a5348d0948ccfb353ddfc0199d4f79897 |
| SHA256 | faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752 |
| SHA512 | 88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe
| MD5 | ea129ae4e2eec913a0abb8a1860e383d |
| SHA1 | cc11444a5348d0948ccfb353ddfc0199d4f79897 |
| SHA256 | faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752 |
| SHA512 | 88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a |
memory/4168-136-0x0000000004BF0000-0x0000000004C0A000-memory.dmp
memory/4168-135-0x0000000002CB0000-0x0000000002CDD000-memory.dmp
memory/4168-137-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/4168-138-0x00000000070B0000-0x00000000075AE000-memory.dmp
memory/4168-139-0x00000000075F0000-0x0000000007608000-memory.dmp
memory/4168-140-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-141-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-143-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-145-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-147-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-149-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-151-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-153-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-155-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-157-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-159-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-161-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-163-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-165-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-167-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/4168-169-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/4168-168-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/4168-170-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/4168-171-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/4168-173-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/4168-174-0x0000000004C30000-0x0000000004C40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe
| MD5 | dbd9429a188264660be8c2063838216e |
| SHA1 | 0755dfb277703fc264026eedffa4d6ce2f211536 |
| SHA256 | 4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9 |
| SHA512 | 60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe
| MD5 | dbd9429a188264660be8c2063838216e |
| SHA1 | 0755dfb277703fc264026eedffa4d6ce2f211536 |
| SHA256 | 4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9 |
| SHA512 | 60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513 |
memory/3160-179-0x0000000004BA0000-0x0000000004BDC000-memory.dmp
memory/3160-180-0x00000000070B0000-0x00000000070EA000-memory.dmp
memory/3160-184-0x0000000007160000-0x0000000007170000-memory.dmp
memory/3160-183-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-186-0x0000000007160000-0x0000000007170000-memory.dmp
memory/3160-188-0x0000000007160000-0x0000000007170000-memory.dmp
memory/3160-190-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-187-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-182-0x0000000002CE0000-0x0000000002D26000-memory.dmp
memory/3160-181-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-192-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-194-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-196-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-198-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-200-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-202-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-204-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-206-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-208-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-210-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-212-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-214-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-216-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-218-0x00000000070B0000-0x00000000070E5000-memory.dmp
memory/3160-977-0x000000000A200000-0x000000000A806000-memory.dmp
memory/3160-978-0x0000000007130000-0x0000000007142000-memory.dmp
memory/3160-979-0x0000000009C30000-0x0000000009D3A000-memory.dmp
memory/3160-980-0x0000000007160000-0x0000000007170000-memory.dmp
memory/3160-981-0x0000000009D50000-0x0000000009D8E000-memory.dmp
memory/3160-982-0x0000000009ED0000-0x0000000009F1B000-memory.dmp
memory/3160-983-0x000000000A060000-0x000000000A0C6000-memory.dmp
memory/3160-984-0x000000000AD30000-0x000000000ADC2000-memory.dmp
memory/3160-985-0x000000000ADD0000-0x000000000AE20000-memory.dmp
memory/3160-986-0x000000000AE40000-0x000000000AEB6000-memory.dmp
memory/3160-987-0x000000000AFE0000-0x000000000AFFE000-memory.dmp
memory/3160-988-0x000000000B0B0000-0x000000000B272000-memory.dmp
memory/3160-989-0x000000000B280000-0x000000000B7AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/3780-995-0x0000000000C10000-0x0000000000C38000-memory.dmp
memory/3780-996-0x0000000007990000-0x00000000079DB000-memory.dmp
memory/3780-997-0x0000000007D20000-0x0000000007D30000-memory.dmp