Analysis Overview
SHA256
bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8
Threat Level: Known bad
The file bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Windows security modification
Reads user/profile data of web browsers
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 23:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 23:56
Reported
2023-04-23 23:59
Platform
win10v2004-20230220-en
Max time kernel
114s
Max time network
129s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe | N/A |
Checks installed software on the system
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe
"C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 988 -ip 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1740 -ip 1740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1956
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 40.77.2.164:443 | tcp | |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| NL | 8.238.179.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 13.107.42.16:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe
| MD5 | 2de59ca0f50cbc460923e6626754b8ee |
| SHA1 | 4e217d61ef0975ce359aa9ec461429b5e8e4d71d |
| SHA256 | 7e5896cebbebf4fd6df21cead501486c2cd925e9c1a3983e61fe17a6d8e2367a |
| SHA512 | 7af3a7ffd41837a4c368f7ccd4bb02ea2db1ad1cc3d971bcf693cef3d6ca56046f47fc7209bfe675ead6793cdfd628d8b1464e074e0cb06b4b0fa4c3c446744f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe
| MD5 | 2de59ca0f50cbc460923e6626754b8ee |
| SHA1 | 4e217d61ef0975ce359aa9ec461429b5e8e4d71d |
| SHA256 | 7e5896cebbebf4fd6df21cead501486c2cd925e9c1a3983e61fe17a6d8e2367a |
| SHA512 | 7af3a7ffd41837a4c368f7ccd4bb02ea2db1ad1cc3d971bcf693cef3d6ca56046f47fc7209bfe675ead6793cdfd628d8b1464e074e0cb06b4b0fa4c3c446744f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe
| MD5 | ace73b2b1f835de11594ea9a243a9f5c |
| SHA1 | 2f929d1f69784fbe499a95b064679a16947bdd84 |
| SHA256 | 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49 |
| SHA512 | 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e |
memory/3692-147-0x0000000000BB0000-0x0000000000BD8000-memory.dmp
memory/3692-148-0x0000000007E50000-0x0000000008468000-memory.dmp
memory/3692-149-0x00000000078E0000-0x00000000078F2000-memory.dmp
memory/3692-150-0x0000000007A10000-0x0000000007B1A000-memory.dmp
memory/3692-151-0x0000000007980000-0x00000000079BC000-memory.dmp
memory/3692-152-0x0000000007930000-0x0000000007940000-memory.dmp
memory/3692-153-0x0000000007C80000-0x0000000007CE6000-memory.dmp
memory/3692-154-0x0000000008820000-0x00000000088B2000-memory.dmp
memory/3692-155-0x0000000008E70000-0x0000000009414000-memory.dmp
memory/3692-156-0x0000000008910000-0x0000000008960000-memory.dmp
memory/3692-157-0x0000000008A40000-0x0000000008AB6000-memory.dmp
memory/3692-158-0x0000000009420000-0x00000000095E2000-memory.dmp
memory/3692-159-0x0000000009B20000-0x000000000A04C000-memory.dmp
memory/3692-160-0x0000000008C20000-0x0000000008C3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe
| MD5 | 45421b5d132aa2e4d872fb2a5998ceae |
| SHA1 | 7fffcb816537a873d1c1b3a0f7eea721320c8e10 |
| SHA256 | be18081f0f5777fdfec0e79812241f55a660e8619ce307c01327ffe23273f544 |
| SHA512 | bdf382544fbe301fbd08ebf46b97e531d23bd38bc48e118da1ef9aafd97d54576c1e94129b3efca3740c601d787446f82dfe3fa8cfad496a7b4a1ee5ca6a577d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe
| MD5 | 45421b5d132aa2e4d872fb2a5998ceae |
| SHA1 | 7fffcb816537a873d1c1b3a0f7eea721320c8e10 |
| SHA256 | be18081f0f5777fdfec0e79812241f55a660e8619ce307c01327ffe23273f544 |
| SHA512 | bdf382544fbe301fbd08ebf46b97e531d23bd38bc48e118da1ef9aafd97d54576c1e94129b3efca3740c601d787446f82dfe3fa8cfad496a7b4a1ee5ca6a577d |
memory/988-166-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-167-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-169-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-171-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-173-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-175-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-177-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-179-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-181-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-183-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-185-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-187-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-189-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-191-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-193-0x0000000007110000-0x0000000007122000-memory.dmp
memory/988-194-0x0000000002C80000-0x0000000002CAD000-memory.dmp
memory/988-195-0x0000000007270000-0x0000000007280000-memory.dmp
memory/988-196-0x0000000007270000-0x0000000007280000-memory.dmp
memory/988-197-0x0000000007270000-0x0000000007280000-memory.dmp
memory/988-198-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/988-200-0x0000000007270000-0x0000000007280000-memory.dmp
memory/988-201-0x0000000007270000-0x0000000007280000-memory.dmp
memory/988-202-0x0000000007270000-0x0000000007280000-memory.dmp
memory/988-203-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe
| MD5 | d6c93a35e3df5f1c7142e88e67e5557e |
| SHA1 | 5cdab3d894ce6d6966603de2fde1be9bae438593 |
| SHA256 | 6ee570e0738a36142496c6b27dd66f8986b413961da7093f82d095fe636759a8 |
| SHA512 | 370e757a3d92dbd60d1bdd2b0d67b7bd8f27d16addc9d465864c2857bcb804de911f89e6c2ed8bf21916ff296acd318f6a2d227d56f8b9e45d3a80f8affeb3ef |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe
| MD5 | d6c93a35e3df5f1c7142e88e67e5557e |
| SHA1 | 5cdab3d894ce6d6966603de2fde1be9bae438593 |
| SHA256 | 6ee570e0738a36142496c6b27dd66f8986b413961da7093f82d095fe636759a8 |
| SHA512 | 370e757a3d92dbd60d1bdd2b0d67b7bd8f27d16addc9d465864c2857bcb804de911f89e6c2ed8bf21916ff296acd318f6a2d227d56f8b9e45d3a80f8affeb3ef |
memory/1740-208-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-209-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-211-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-213-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-215-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-217-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-219-0x0000000004550000-0x0000000004596000-memory.dmp
memory/1740-221-0x00000000071C0000-0x00000000071D0000-memory.dmp
memory/1740-223-0x00000000071C0000-0x00000000071D0000-memory.dmp
memory/1740-225-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-224-0x00000000071C0000-0x00000000071D0000-memory.dmp
memory/1740-220-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-227-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-229-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-231-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-233-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-235-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-237-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-241-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-239-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-243-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-245-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/1740-1004-0x00000000071C0000-0x00000000071D0000-memory.dmp