Analysis Overview
SHA256
8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06
Threat Level: Known bad
The file 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:52
Reported
2023-04-23 23:55
Platform
win10-20230220-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe | N/A |
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe
"C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe
| MD5 | 3800a36c0c2a4d999037b2d3ce325ba0 |
| SHA1 | 6c63db5220b9411cde02a9b5580be7abba9fcfce |
| SHA256 | b6f536d5314262767b10303dcd98f9b4b1f77b0581dc7ce771713b2c07d3825f |
| SHA512 | ecafe2a456171627f3b57f1b3a0b673e9a7a3b95a4cd19014c3e826a5b75aae79a75bab647c97cc677ae4ecc84fa70978abe19292bc7d9ae544eab4fd43b6e0d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe
| MD5 | 3800a36c0c2a4d999037b2d3ce325ba0 |
| SHA1 | 6c63db5220b9411cde02a9b5580be7abba9fcfce |
| SHA256 | b6f536d5314262767b10303dcd98f9b4b1f77b0581dc7ce771713b2c07d3825f |
| SHA512 | ecafe2a456171627f3b57f1b3a0b673e9a7a3b95a4cd19014c3e826a5b75aae79a75bab647c97cc677ae4ecc84fa70978abe19292bc7d9ae544eab4fd43b6e0d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe
| MD5 | 4be8a568f93bf2995daa47cb7bf9ad5a |
| SHA1 | 5d00444619088871dd53c51d6b6fce214600b122 |
| SHA256 | 77e93cecdd070e526425fd39ff9603528dd54f19a2d1b24386fcaea3542f4af1 |
| SHA512 | 7d9d27f1d8ae45155bf39c2ddb2d2b170edc561b13c79e8fc066e9d73f3100aca341af8232c9fde6252e6c46c8cd2e08758b0d014839e7a560fc014fda98f61c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe
| MD5 | 4be8a568f93bf2995daa47cb7bf9ad5a |
| SHA1 | 5d00444619088871dd53c51d6b6fce214600b122 |
| SHA256 | 77e93cecdd070e526425fd39ff9603528dd54f19a2d1b24386fcaea3542f4af1 |
| SHA512 | 7d9d27f1d8ae45155bf39c2ddb2d2b170edc561b13c79e8fc066e9d73f3100aca341af8232c9fde6252e6c46c8cd2e08758b0d014839e7a560fc014fda98f61c |
memory/2392-136-0x0000000004A30000-0x0000000004A4A000-memory.dmp
memory/2392-137-0x00000000073A0000-0x000000000789E000-memory.dmp
memory/2392-138-0x0000000004A60000-0x0000000004A78000-memory.dmp
memory/2392-139-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-140-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-146-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-144-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-142-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-148-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-150-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-154-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-161-0x00000000001D0000-0x00000000001FD000-memory.dmp
memory/2392-158-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-160-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-162-0x0000000007390000-0x00000000073A0000-memory.dmp
memory/2392-156-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-165-0x0000000007390000-0x00000000073A0000-memory.dmp
memory/2392-164-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-168-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-167-0x0000000007390000-0x00000000073A0000-memory.dmp
memory/2392-152-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-170-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2392-171-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/2392-175-0x0000000007390000-0x00000000073A0000-memory.dmp
memory/2392-173-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/2392-176-0x0000000007390000-0x00000000073A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe
| MD5 | 0b1441c8e9880dceaeb09f46e8bdcc29 |
| SHA1 | d34ddb646f520fca722850f2ce8142f3cc96d0be |
| SHA256 | f21b4e07e05cef7391656e70ae2411fd5f2ca34f7ab779ae5734043e642d9abf |
| SHA512 | 7fd63f87ece5caf5254ba270ad9e1dcc43bc52812ebe79bb6f644da4d0b9170225b0994d31e391e6cf42d09c8bc3f4957dc8d7bae2cf294adaa134c343398d2a |
memory/2392-174-0x0000000007390000-0x00000000073A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe
| MD5 | 0b1441c8e9880dceaeb09f46e8bdcc29 |
| SHA1 | d34ddb646f520fca722850f2ce8142f3cc96d0be |
| SHA256 | f21b4e07e05cef7391656e70ae2411fd5f2ca34f7ab779ae5734043e642d9abf |
| SHA512 | 7fd63f87ece5caf5254ba270ad9e1dcc43bc52812ebe79bb6f644da4d0b9170225b0994d31e391e6cf42d09c8bc3f4957dc8d7bae2cf294adaa134c343398d2a |
memory/4876-181-0x0000000004A80000-0x0000000004ABC000-memory.dmp
memory/4876-182-0x0000000007180000-0x00000000071BA000-memory.dmp
memory/4876-183-0x0000000002BD0000-0x0000000002C16000-memory.dmp
memory/4876-185-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-188-0x00000000071E0000-0x00000000071F0000-memory.dmp
memory/4876-190-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-192-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-187-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-186-0x00000000071E0000-0x00000000071F0000-memory.dmp
memory/4876-194-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-184-0x00000000071E0000-0x00000000071F0000-memory.dmp
memory/4876-196-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-198-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-202-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-200-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-204-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-206-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-208-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-210-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-212-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-214-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-216-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-218-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-220-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4876-979-0x000000000A1C0000-0x000000000A7C6000-memory.dmp
memory/4876-980-0x0000000009C00000-0x0000000009C12000-memory.dmp
memory/4876-981-0x0000000009C30000-0x0000000009D3A000-memory.dmp
memory/4876-982-0x0000000009D50000-0x0000000009D8E000-memory.dmp
memory/4876-983-0x0000000009DD0000-0x0000000009E1B000-memory.dmp
memory/4876-984-0x00000000071E0000-0x00000000071F0000-memory.dmp
memory/4876-985-0x000000000A060000-0x000000000A0C6000-memory.dmp
memory/4876-986-0x000000000AD30000-0x000000000ADC2000-memory.dmp
memory/4876-987-0x000000000AED0000-0x000000000AF20000-memory.dmp
memory/4876-988-0x000000000AF40000-0x000000000AFB6000-memory.dmp
memory/4876-989-0x000000000AFE0000-0x000000000AFFE000-memory.dmp
memory/4876-991-0x000000000B0A0000-0x000000000B262000-memory.dmp
memory/4876-992-0x000000000B280000-0x000000000B7AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/1840-998-0x0000000000650000-0x0000000000678000-memory.dmp
memory/1840-999-0x00000000073D0000-0x000000000741B000-memory.dmp
memory/1840-1000-0x0000000007420000-0x0000000007430000-memory.dmp