Analysis Overview
SHA256
a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690
Threat Level: Known bad
The file a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Windows security modification
Reads user/profile data of web browsers
Executes dropped EXE
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:54
Reported
2023-04-23 23:57
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
144s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe | N/A |
Checks installed software on the system
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe
"C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2316 -ip 2316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1764 -ip 1764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1328
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.177.126:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.168.112.66:443 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| NL | 8.238.177.126:80 | tcp | |
| NL | 8.238.177.126:80 | tcp | |
| NL | 8.238.177.126:80 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe
| MD5 | 07ac68f2be3aab9bb071d7b907d39379 |
| SHA1 | 0654f0693f18f1f129a40ec0309bd86cf744c17c |
| SHA256 | 48038db3ecb15e2c93a574bb9795e616d973de200cd1e6fad04d89b1c0a227d0 |
| SHA512 | 8abea60cbd4c7f2457d9525eb39f13ad1e7a08d2d4ecb3d01bf622f173e00a6344add195cb6bc38c0d83ae8e52fb2ae8af4871148492cc0b0ed717adf611d407 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe
| MD5 | 07ac68f2be3aab9bb071d7b907d39379 |
| SHA1 | 0654f0693f18f1f129a40ec0309bd86cf744c17c |
| SHA256 | 48038db3ecb15e2c93a574bb9795e616d973de200cd1e6fad04d89b1c0a227d0 |
| SHA512 | 8abea60cbd4c7f2457d9525eb39f13ad1e7a08d2d4ecb3d01bf622f173e00a6344add195cb6bc38c0d83ae8e52fb2ae8af4871148492cc0b0ed717adf611d407 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe
| MD5 | e7f1771bf22f743bc715dde7cc81925b |
| SHA1 | cf3e7b1ce49d5a083b886dc271e340aa93c73081 |
| SHA256 | 19ebd4dc58e6cf02b2db94723bffc0585b751466fbf424e59b9117d1fd142d9f |
| SHA512 | c1dfe69f70ad7f1678cf3a62cf15b3ad63afcd4fdde10ecbde54dd09b97cf41115a1f2418f80c2bc746b71d5adb3c097072023ac29b2c5bcfc4b94f4445d3372 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe
| MD5 | e7f1771bf22f743bc715dde7cc81925b |
| SHA1 | cf3e7b1ce49d5a083b886dc271e340aa93c73081 |
| SHA256 | 19ebd4dc58e6cf02b2db94723bffc0585b751466fbf424e59b9117d1fd142d9f |
| SHA512 | c1dfe69f70ad7f1678cf3a62cf15b3ad63afcd4fdde10ecbde54dd09b97cf41115a1f2418f80c2bc746b71d5adb3c097072023ac29b2c5bcfc4b94f4445d3372 |
memory/2316-148-0x0000000002C90000-0x0000000002CBD000-memory.dmp
memory/2316-149-0x00000000071A0000-0x0000000007744000-memory.dmp
memory/2316-150-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-151-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-153-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-155-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-157-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-159-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-161-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-163-0x0000000007190000-0x00000000071A0000-memory.dmp
memory/2316-165-0x0000000007190000-0x00000000071A0000-memory.dmp
memory/2316-164-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-167-0x0000000007190000-0x00000000071A0000-memory.dmp
memory/2316-168-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-170-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-174-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-172-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-176-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-178-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-180-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2316-181-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/2316-183-0x0000000007190000-0x00000000071A0000-memory.dmp
memory/2316-184-0x0000000007190000-0x00000000071A0000-memory.dmp
memory/2316-185-0x0000000007190000-0x00000000071A0000-memory.dmp
memory/2316-186-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe
| MD5 | 46a77d714dde37888f67478de5da8c39 |
| SHA1 | 9703e7463650722f0480fd4f325166fb87084288 |
| SHA256 | cdb24c6234bfe795c753638e1daaf619550a8b80dbb791a9876cddfb84ac5dfb |
| SHA512 | d4d4c84d1bfdf57a8c0aa95c3936f62e4cc631fef6efc5695ccbf3e1e838a3aff7fb0f18e247ba87f158d8235d0b74004b48d540b70b62e5a35a16497bd1768f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe
| MD5 | 46a77d714dde37888f67478de5da8c39 |
| SHA1 | 9703e7463650722f0480fd4f325166fb87084288 |
| SHA256 | cdb24c6234bfe795c753638e1daaf619550a8b80dbb791a9876cddfb84ac5dfb |
| SHA512 | d4d4c84d1bfdf57a8c0aa95c3936f62e4cc631fef6efc5695ccbf3e1e838a3aff7fb0f18e247ba87f158d8235d0b74004b48d540b70b62e5a35a16497bd1768f |
memory/1764-191-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-192-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-194-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-196-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-199-0x0000000002D00000-0x0000000002D46000-memory.dmp
memory/1764-198-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-201-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/1764-205-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/1764-203-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/1764-202-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-206-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-208-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-210-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-212-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-214-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-216-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-218-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-220-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-222-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-224-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-226-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-228-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/1764-987-0x0000000009D30000-0x000000000A348000-memory.dmp
memory/1764-988-0x00000000072C0000-0x00000000072D2000-memory.dmp
memory/1764-989-0x000000000A350000-0x000000000A45A000-memory.dmp
memory/1764-990-0x000000000A460000-0x000000000A49C000-memory.dmp
memory/1764-991-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/1764-992-0x000000000A760000-0x000000000A7C6000-memory.dmp
memory/1764-993-0x000000000AE20000-0x000000000AEB2000-memory.dmp
memory/1764-994-0x000000000AEE0000-0x000000000AF30000-memory.dmp
memory/1764-995-0x000000000AF40000-0x000000000AFB6000-memory.dmp
memory/1764-996-0x000000000B0F0000-0x000000000B10E000-memory.dmp
memory/1764-997-0x000000000B210000-0x000000000B3D2000-memory.dmp
memory/1764-998-0x000000000B3E0000-0x000000000B90C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/2164-1005-0x00000000008B0000-0x00000000008D8000-memory.dmp
memory/2164-1006-0x00000000079F0000-0x0000000007A00000-memory.dmp