Analysis Overview
SHA256
0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e
Threat Level: Known bad
The file 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Reads user/profile data of web browsers
Windows security modification
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-23 20:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-23 20:59
Reported
2023-04-23 21:01
Platform
win10-20230220-en
Max time kernel
51s
Max time network
149s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe | N/A |
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe
"C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 142.248.161.185.in-addr.arpa | udp |
| N/A | 185.161.248.142:38452 | tcp | |
| US | 52.182.143.211:443 | tcp | |
| US | 67.24.33.254:80 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe
| MD5 | a638f4ecc80d3c3b92c86ba0fe768602 |
| SHA1 | 5f6b94c1ec3cbdf361860bc1c7f8e17b0ba9a1ed |
| SHA256 | 93878c738488d0bb9e7df79ad32e34c4e142f80ff7fb2e9883e978ce99406816 |
| SHA512 | 09c7482fcde34f444d0539cea47edd1e4d479603d74852767a025af4daa89950a9cebbc98130d113feb052b1d5dc59bfabc49e9300269d81a42dd2f54a0db63e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe
| MD5 | a638f4ecc80d3c3b92c86ba0fe768602 |
| SHA1 | 5f6b94c1ec3cbdf361860bc1c7f8e17b0ba9a1ed |
| SHA256 | 93878c738488d0bb9e7df79ad32e34c4e142f80ff7fb2e9883e978ce99406816 |
| SHA512 | 09c7482fcde34f444d0539cea47edd1e4d479603d74852767a025af4daa89950a9cebbc98130d113feb052b1d5dc59bfabc49e9300269d81a42dd2f54a0db63e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe
| MD5 | 19c5b4b2753589f40613999fb7bce238 |
| SHA1 | ffd552ee9887c7edaf897780060a9bdb0f03f78c |
| SHA256 | 9dcd824b9ecb72731a22d20d41ce2d17aebe60384d7efb3e52ab026debae02a5 |
| SHA512 | d9f2e52c7f869c54378332a36573757bcf0058f68c38735aa7241211baf50e01dad0e987454a529ebc99d40eee3c86b780117cb62c26d78db8eefcb8bc692723 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe
| MD5 | 19c5b4b2753589f40613999fb7bce238 |
| SHA1 | ffd552ee9887c7edaf897780060a9bdb0f03f78c |
| SHA256 | 9dcd824b9ecb72731a22d20d41ce2d17aebe60384d7efb3e52ab026debae02a5 |
| SHA512 | d9f2e52c7f869c54378332a36573757bcf0058f68c38735aa7241211baf50e01dad0e987454a529ebc99d40eee3c86b780117cb62c26d78db8eefcb8bc692723 |
memory/2072-131-0x0000000002DC0000-0x0000000002DDA000-memory.dmp
memory/2072-132-0x00000000001D0000-0x00000000001FD000-memory.dmp
memory/2072-133-0x0000000004E60000-0x0000000004E70000-memory.dmp
memory/2072-134-0x00000000071C0000-0x00000000076BE000-memory.dmp
memory/2072-135-0x0000000004D90000-0x0000000004DA8000-memory.dmp
memory/2072-136-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-137-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-139-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-141-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-143-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-145-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-147-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-149-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-151-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-153-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-155-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-157-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-159-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-161-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-163-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/2072-164-0x0000000004E60000-0x0000000004E70000-memory.dmp
memory/2072-165-0x0000000004E60000-0x0000000004E70000-memory.dmp
memory/2072-166-0x0000000000400000-0x0000000002BAE000-memory.dmp
memory/2072-167-0x0000000004E60000-0x0000000004E70000-memory.dmp
memory/2072-170-0x0000000004E60000-0x0000000004E70000-memory.dmp
memory/2072-169-0x0000000000400000-0x0000000002BAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe
| MD5 | 751bcd0f77072da780e538b4e7a905e6 |
| SHA1 | d94332ff97d94a01b70de2edd53076bf2d2c22d6 |
| SHA256 | 67525e6c216826ddf8bf65ba2833c8fea0481fe345733551ce59a389c190dcf4 |
| SHA512 | 8e75caf82d1a6000882c63b7fcae57c1d9e883560d04eb9a60b6a39f019203006b5cda350bf7ef2de3a33a636afa9152a662858998b1799c27862c4257f324d9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe
| MD5 | 751bcd0f77072da780e538b4e7a905e6 |
| SHA1 | d94332ff97d94a01b70de2edd53076bf2d2c22d6 |
| SHA256 | 67525e6c216826ddf8bf65ba2833c8fea0481fe345733551ce59a389c190dcf4 |
| SHA512 | 8e75caf82d1a6000882c63b7fcae57c1d9e883560d04eb9a60b6a39f019203006b5cda350bf7ef2de3a33a636afa9152a662858998b1799c27862c4257f324d9 |
memory/3736-175-0x0000000004B80000-0x0000000004BBC000-memory.dmp
memory/3736-176-0x0000000004D40000-0x0000000004D7A000-memory.dmp
memory/3736-178-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-177-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-180-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-182-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-184-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-186-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-188-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-190-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-192-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-194-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-196-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-198-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-200-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-202-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-204-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-208-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-206-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-210-0x0000000004D40000-0x0000000004D75000-memory.dmp
memory/3736-350-0x0000000002F40000-0x0000000002F86000-memory.dmp
memory/3736-354-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/3736-352-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/3736-355-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/3736-973-0x000000000A290000-0x000000000A896000-memory.dmp
memory/3736-974-0x00000000072A0000-0x00000000072B2000-memory.dmp
memory/3736-975-0x0000000009C80000-0x0000000009D8A000-memory.dmp
memory/3736-976-0x0000000009D90000-0x0000000009DCE000-memory.dmp
memory/3736-978-0x0000000009DD0000-0x0000000009E1B000-memory.dmp
memory/3736-977-0x00000000072F0000-0x0000000007300000-memory.dmp
memory/3736-979-0x000000000A060000-0x000000000A0C6000-memory.dmp
memory/3736-980-0x000000000AD30000-0x000000000ADC2000-memory.dmp
memory/3736-981-0x000000000ADD0000-0x000000000AE20000-memory.dmp
memory/3736-982-0x000000000AE40000-0x000000000AEB6000-memory.dmp
memory/3736-983-0x000000000AFE0000-0x000000000AFFE000-memory.dmp
memory/3736-984-0x000000000B0B0000-0x000000000B272000-memory.dmp
memory/3736-985-0x000000000B280000-0x000000000B7AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe
| MD5 | 8c80b06d843bd6a7599a5be2075d9a55 |
| SHA1 | caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2 |
| SHA256 | e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e |
| SHA512 | cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe
| MD5 | 8c80b06d843bd6a7599a5be2075d9a55 |
| SHA1 | caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2 |
| SHA256 | e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e |
| SHA512 | cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded |
memory/3236-992-0x0000000000900000-0x0000000000928000-memory.dmp
memory/3236-993-0x0000000007680000-0x00000000076CB000-memory.dmp
memory/3236-994-0x00000000079C0000-0x00000000079D0000-memory.dmp