Analysis Overview
SHA256
0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d
Threat Level: Known bad
The file 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Reads user/profile data of web browsers
Windows security modification
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:54
Reported
2023-04-23 23:57
Platform
win10v2004-20230221-en
Max time kernel
96s
Max time network
98s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe | N/A |
Checks installed software on the system
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe
"C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2976 -ip 2976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 2016
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 104.208.16.90:443 | tcp | |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe
| MD5 | dc2d8fdc8d3d46783ae2657058a75791 |
| SHA1 | 84aeb242bf58ea8cb33f7edcbfde90a9ff9c26fe |
| SHA256 | 9bb8049f683d803d4aabac99b19741fdbb28b45c81bed35d666d9f2a08462b0d |
| SHA512 | 182cd5bf2242255bd0a9713e571ade0b6e7264f1b3f8d2737235b998f036ad98bc544d33f0f864642b09cbc64972dd03559d1c110d19ea5cb0669367d6a1e0ed |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe
| MD5 | dc2d8fdc8d3d46783ae2657058a75791 |
| SHA1 | 84aeb242bf58ea8cb33f7edcbfde90a9ff9c26fe |
| SHA256 | 9bb8049f683d803d4aabac99b19741fdbb28b45c81bed35d666d9f2a08462b0d |
| SHA512 | 182cd5bf2242255bd0a9713e571ade0b6e7264f1b3f8d2737235b998f036ad98bc544d33f0f864642b09cbc64972dd03559d1c110d19ea5cb0669367d6a1e0ed |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4472-147-0x0000000000650000-0x000000000065A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe
| MD5 | 544d3ec4153b87860a314e032fda8170 |
| SHA1 | 5fc6d3f97fa737ab59dd054e2087bf6d7fd990b6 |
| SHA256 | 96fefcf961481f099453b1719e61cb0e6bccd52ec64ee49beca8883c991839b6 |
| SHA512 | cbfa328567999555a34ece31b60919d766fe82697eaf8263c3ae28a69114d8cf5e33a6f91f25c59593f7cda508340b2dad12d8d7a341c1cf0bb1208f26e91631 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe
| MD5 | 544d3ec4153b87860a314e032fda8170 |
| SHA1 | 5fc6d3f97fa737ab59dd054e2087bf6d7fd990b6 |
| SHA256 | 96fefcf961481f099453b1719e61cb0e6bccd52ec64ee49beca8883c991839b6 |
| SHA512 | cbfa328567999555a34ece31b60919d766fe82697eaf8263c3ae28a69114d8cf5e33a6f91f25c59593f7cda508340b2dad12d8d7a341c1cf0bb1208f26e91631 |
memory/2976-153-0x0000000002BD0000-0x0000000002C16000-memory.dmp
memory/2976-154-0x0000000007390000-0x0000000007934000-memory.dmp
memory/2976-155-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-156-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-158-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-160-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-162-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-164-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-166-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-168-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-170-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-172-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-174-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-176-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-180-0x0000000007380000-0x0000000007390000-memory.dmp
memory/2976-178-0x0000000007380000-0x0000000007390000-memory.dmp
memory/2976-179-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-182-0x0000000007380000-0x0000000007390000-memory.dmp
memory/2976-183-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-185-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-187-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-189-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-191-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-193-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-195-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-197-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-199-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-201-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-203-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-205-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-207-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-209-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-211-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-213-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-215-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-217-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-219-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-221-0x00000000072B0000-0x00000000072E5000-memory.dmp
memory/2976-950-0x0000000009DC0000-0x000000000A3D8000-memory.dmp
memory/2976-951-0x000000000A460000-0x000000000A472000-memory.dmp
memory/2976-952-0x000000000A480000-0x000000000A58A000-memory.dmp
memory/2976-953-0x000000000A5A0000-0x000000000A5DC000-memory.dmp
memory/2976-954-0x0000000007380000-0x0000000007390000-memory.dmp
memory/2976-955-0x000000000A8A0000-0x000000000A906000-memory.dmp
memory/2976-956-0x000000000AF70000-0x000000000B002000-memory.dmp
memory/2976-957-0x000000000B120000-0x000000000B170000-memory.dmp
memory/2976-958-0x000000000B180000-0x000000000B1F6000-memory.dmp
memory/2976-959-0x000000000B230000-0x000000000B24E000-memory.dmp
memory/2976-960-0x000000000B350000-0x000000000B512000-memory.dmp
memory/2976-961-0x000000000B520000-0x000000000BA4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/4688-967-0x00000000008C0000-0x00000000008E8000-memory.dmp
memory/4688-968-0x00000000076E0000-0x00000000076F0000-memory.dmp