Analysis Overview
SHA256
476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4
Threat Level: Known bad
The file 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 20:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 20:58
Reported
2023-04-23 21:00
Platform
win10v2004-20230220-en
Max time kernel
83s
Max time network
146s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe | N/A |
Checks installed software on the system
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe
"C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5096 -ip 5096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1320
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.4.107.13.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe
| MD5 | 87ce86e77ccfa5a23782f779f2a1b8d9 |
| SHA1 | 96aa608ce0bd3e9482f12f22ab98742d34fb1d89 |
| SHA256 | 027ddbf37851f2b1a19aa26d56bc303e07e36ceb99eeaf2f2acb46ce0130b81f |
| SHA512 | ef86daa457d865ef4c0491f64367fbc2b84392b7ac04778efc90d7eea5e932167bf20c3e6e84d17669106edb9fca80d0177193f7d6b68b479b703b2221f13b2c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe
| MD5 | 87ce86e77ccfa5a23782f779f2a1b8d9 |
| SHA1 | 96aa608ce0bd3e9482f12f22ab98742d34fb1d89 |
| SHA256 | 027ddbf37851f2b1a19aa26d56bc303e07e36ceb99eeaf2f2acb46ce0130b81f |
| SHA512 | ef86daa457d865ef4c0491f64367fbc2b84392b7ac04778efc90d7eea5e932167bf20c3e6e84d17669106edb9fca80d0177193f7d6b68b479b703b2221f13b2c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2684-147-0x0000000000A00000-0x0000000000A0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe
| MD5 | da856a20ca764dfefaeec22336150477 |
| SHA1 | ab72e8813c77a7214ab53c70a7327082aca69f3d |
| SHA256 | 8cb7a0df0d1e247209c974313f59aeb97f2f744bf092b94755dcb7922b203840 |
| SHA512 | 54f7bc2cbcf753eea22e7f047bbb443d95556c17bbe527b4cf25ec1e7f906a10965c7f16c49071e3c61d0b043799870f921f225507b6c9d93422fff336ef4c98 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe
| MD5 | da856a20ca764dfefaeec22336150477 |
| SHA1 | ab72e8813c77a7214ab53c70a7327082aca69f3d |
| SHA256 | 8cb7a0df0d1e247209c974313f59aeb97f2f744bf092b94755dcb7922b203840 |
| SHA512 | 54f7bc2cbcf753eea22e7f047bbb443d95556c17bbe527b4cf25ec1e7f906a10965c7f16c49071e3c61d0b043799870f921f225507b6c9d93422fff336ef4c98 |
memory/5096-153-0x0000000002CF0000-0x0000000002D36000-memory.dmp
memory/5096-154-0x00000000071C0000-0x0000000007764000-memory.dmp
memory/5096-155-0x00000000071B0000-0x00000000071C0000-memory.dmp
memory/5096-156-0x00000000071B0000-0x00000000071C0000-memory.dmp
memory/5096-157-0x00000000071B0000-0x00000000071C0000-memory.dmp
memory/5096-158-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-159-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-161-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-163-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-165-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-167-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-169-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-171-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-173-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-175-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-177-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-179-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-181-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-183-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-185-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-187-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-189-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-191-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-193-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-195-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-197-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-199-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-201-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-203-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-205-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-207-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-209-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-211-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-213-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-215-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-217-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-219-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-221-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/5096-950-0x0000000009C70000-0x000000000A288000-memory.dmp
memory/5096-951-0x000000000A320000-0x000000000A332000-memory.dmp
memory/5096-952-0x000000000A340000-0x000000000A44A000-memory.dmp
memory/5096-953-0x000000000A460000-0x000000000A49C000-memory.dmp
memory/5096-954-0x00000000071B0000-0x00000000071C0000-memory.dmp
memory/5096-955-0x000000000A760000-0x000000000A7C6000-memory.dmp
memory/5096-956-0x000000000AE20000-0x000000000AEB2000-memory.dmp
memory/5096-957-0x000000000AFF0000-0x000000000B066000-memory.dmp
memory/5096-958-0x000000000B0D0000-0x000000000B292000-memory.dmp
memory/5096-959-0x000000000B2A0000-0x000000000B7CC000-memory.dmp
memory/5096-961-0x000000000B850000-0x000000000B86E000-memory.dmp
memory/5096-962-0x00000000071B0000-0x00000000071C0000-memory.dmp
memory/5096-963-0x00000000071B0000-0x00000000071C0000-memory.dmp
memory/5096-964-0x00000000071B0000-0x00000000071C0000-memory.dmp
memory/5096-965-0x00000000049C0000-0x0000000004A10000-memory.dmp
memory/5096-967-0x00000000071B0000-0x00000000071C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe
| MD5 | 8c80b06d843bd6a7599a5be2075d9a55 |
| SHA1 | caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2 |
| SHA256 | e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e |
| SHA512 | cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe
| MD5 | 8c80b06d843bd6a7599a5be2075d9a55 |
| SHA1 | caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2 |
| SHA256 | e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e |
| SHA512 | cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded |
memory/3104-973-0x0000000000490000-0x00000000004B8000-memory.dmp
memory/3104-974-0x0000000007250000-0x0000000007260000-memory.dmp