Analysis Overview
SHA256
68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da
Threat Level: Known bad
The file 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:55
Reported
2023-04-23 23:57
Platform
win10v2004-20230220-en
Max time kernel
60s
Max time network
82s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe | N/A |
Checks installed software on the system
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe
"C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4208 -ip 4208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1096
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4268 -ip 4268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1324
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 40.77.2.164:443 | tcp | |
| US | 13.89.179.9:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe
| MD5 | 23c3841492808f34af61075697a52720 |
| SHA1 | cd3a2168785bf5d0840f1fcf747fcb2c3bcfb48b |
| SHA256 | f9d07a65aea8fc1169b2b259fc798a05b2f516cb5fee3cb7404c33912725ff52 |
| SHA512 | 2f12de2882acf0f872255ad8aaa4c9b37584e474215612b0259f138a880c620c5d98678e07dd8622fa8770b195aa515e7028ffab42c3805b12f0af66e3bc7346 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe
| MD5 | 23c3841492808f34af61075697a52720 |
| SHA1 | cd3a2168785bf5d0840f1fcf747fcb2c3bcfb48b |
| SHA256 | f9d07a65aea8fc1169b2b259fc798a05b2f516cb5fee3cb7404c33912725ff52 |
| SHA512 | 2f12de2882acf0f872255ad8aaa4c9b37584e474215612b0259f138a880c620c5d98678e07dd8622fa8770b195aa515e7028ffab42c3805b12f0af66e3bc7346 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe
| MD5 | fdda9bb2d78bdb9e39696ec3e1d62e70 |
| SHA1 | 35fb3fb311dd672a73ec43363b8c4d1ae1e64e6f |
| SHA256 | 8540456765fa1ab1bc01c7fadeb332f3ac47dcad6cd391288bb3d4eedab4511f |
| SHA512 | 0e8fea018b80b160548ce92dd27d1dc463f66cfd39900e8a596fa8fc966b8f1f500942f341d3d6fcfc969f811af30c1142238b565c2fa29408f97baf23de9f75 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe
| MD5 | fdda9bb2d78bdb9e39696ec3e1d62e70 |
| SHA1 | 35fb3fb311dd672a73ec43363b8c4d1ae1e64e6f |
| SHA256 | 8540456765fa1ab1bc01c7fadeb332f3ac47dcad6cd391288bb3d4eedab4511f |
| SHA512 | 0e8fea018b80b160548ce92dd27d1dc463f66cfd39900e8a596fa8fc966b8f1f500942f341d3d6fcfc969f811af30c1142238b565c2fa29408f97baf23de9f75 |
memory/4208-148-0x0000000007190000-0x0000000007734000-memory.dmp
memory/4208-149-0x0000000002BB0000-0x0000000002BDD000-memory.dmp
memory/4208-150-0x0000000007180000-0x0000000007190000-memory.dmp
memory/4208-151-0x0000000007180000-0x0000000007190000-memory.dmp
memory/4208-152-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-153-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-155-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-157-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-159-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-161-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-163-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-165-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-167-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-169-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-171-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-173-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-175-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-177-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-179-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4208-180-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/4208-181-0x0000000007180000-0x0000000007190000-memory.dmp
memory/4208-182-0x0000000007180000-0x0000000007190000-memory.dmp
memory/4208-183-0x0000000007180000-0x0000000007190000-memory.dmp
memory/4208-185-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe
| MD5 | 77c68fa4322227d8f24bdbd71455406a |
| SHA1 | e02819914c0df8b2d9058efcc452e23ded5cfdb6 |
| SHA256 | b1f969aceade41735fed2bf30cc138b0b7ac912075300b08ef4fc4657b2beb79 |
| SHA512 | a331842994d107ce8e8281353b383bd02b7ec6eb7bb3b48e1f617f13c1181a22d843a2ba77ed83a24b290914c2e924cccacecf5e7ce40a95bb13493dbf592031 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe
| MD5 | 77c68fa4322227d8f24bdbd71455406a |
| SHA1 | e02819914c0df8b2d9058efcc452e23ded5cfdb6 |
| SHA256 | b1f969aceade41735fed2bf30cc138b0b7ac912075300b08ef4fc4657b2beb79 |
| SHA512 | a331842994d107ce8e8281353b383bd02b7ec6eb7bb3b48e1f617f13c1181a22d843a2ba77ed83a24b290914c2e924cccacecf5e7ce40a95bb13493dbf592031 |
memory/4268-191-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-190-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-193-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-195-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-197-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-199-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-201-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-203-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-205-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-207-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-209-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-211-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-213-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-215-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-217-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-219-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-221-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-223-0x0000000004D60000-0x0000000004D95000-memory.dmp
memory/4268-385-0x0000000002CA0000-0x0000000002CE6000-memory.dmp
memory/4268-387-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/4268-388-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/4268-390-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/4268-986-0x0000000009C70000-0x000000000A288000-memory.dmp
memory/4268-987-0x000000000A320000-0x000000000A332000-memory.dmp
memory/4268-988-0x000000000A340000-0x000000000A44A000-memory.dmp
memory/4268-989-0x000000000A460000-0x000000000A49C000-memory.dmp
memory/4268-990-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/4268-991-0x000000000A760000-0x000000000A7C6000-memory.dmp
memory/4268-992-0x000000000AE30000-0x000000000AEC2000-memory.dmp
memory/4268-993-0x000000000B020000-0x000000000B070000-memory.dmp
memory/4268-994-0x000000000B080000-0x000000000B0F6000-memory.dmp
memory/4268-995-0x000000000B130000-0x000000000B14E000-memory.dmp
memory/4268-996-0x000000000B350000-0x000000000B512000-memory.dmp
memory/4268-997-0x000000000B520000-0x000000000BA4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/4768-1004-0x00000000007F0000-0x0000000000818000-memory.dmp
memory/4768-1005-0x0000000007910000-0x0000000007920000-memory.dmp