Malware Analysis Report

2025-08-05 17:20

Sample ID 230423-3n7f6age89
Target 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486
SHA256 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486

Threat Level: Known bad

The file 0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Launches sc.exe

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:40

Reported

2023-04-23 23:43

Platform

win10v2004-20230221-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe N/A

Checks installed software on the system

discovery

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe
PID 1612 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe
PID 1612 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe
PID 4808 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe
PID 4808 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe
PID 4808 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe
PID 4808 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe
PID 4808 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe
PID 4808 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe
PID 1612 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe
PID 1612 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe
PID 1612 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe

"C:\Users\Admin\AppData\Local\Temp\0de31c115dcfd7dbf25e8250136fd8f8d5812cb78f64c6c7349a9f2152928486.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2036 -ip 2036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3836 -ip 3836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1344

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 40.77.2.164:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 52.168.112.66:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 93.184.221.240:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe

MD5 3716070e9cf82b326e533cb2b251ae06
SHA1 0cb712593323fca6d0637028629c9104e179eb0b
SHA256 0e00246e7fbc2943d3895655ed324d8b1c64002eec03494bef9b779acf5b03cb
SHA512 52a831d50ec46e504da4a7c74b84464ed6698c2271e5266e19e37c68d8277351639777795cfbbe26fe6f37fe65d7fb3a07959385136a81138ccc88ceffab6a5c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un540130.exe

MD5 3716070e9cf82b326e533cb2b251ae06
SHA1 0cb712593323fca6d0637028629c9104e179eb0b
SHA256 0e00246e7fbc2943d3895655ed324d8b1c64002eec03494bef9b779acf5b03cb
SHA512 52a831d50ec46e504da4a7c74b84464ed6698c2271e5266e19e37c68d8277351639777795cfbbe26fe6f37fe65d7fb3a07959385136a81138ccc88ceffab6a5c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe

MD5 11e72c2a4887cd2e6f90623db124f4dc
SHA1 68b89e8ad8859959ffe8c9f06134b623d340f9cb
SHA256 2bd8922b86b99725d39f2b0c9411656306a0589f534000b6c663cb719480d96f
SHA512 3baffcc65815baaaa24c0444406111f6a4f4e55b2eb626254485083e804980a33c3582017b2124136d5212214d67ef51edd4c015ff6b98b65ae05931b431a7e3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr654625.exe

MD5 11e72c2a4887cd2e6f90623db124f4dc
SHA1 68b89e8ad8859959ffe8c9f06134b623d340f9cb
SHA256 2bd8922b86b99725d39f2b0c9411656306a0589f534000b6c663cb719480d96f
SHA512 3baffcc65815baaaa24c0444406111f6a4f4e55b2eb626254485083e804980a33c3582017b2124136d5212214d67ef51edd4c015ff6b98b65ae05931b431a7e3

memory/2036-148-0x0000000007290000-0x0000000007834000-memory.dmp

memory/2036-149-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

memory/2036-150-0x0000000007280000-0x0000000007290000-memory.dmp

memory/2036-151-0x0000000007280000-0x0000000007290000-memory.dmp

memory/2036-152-0x0000000007280000-0x0000000007290000-memory.dmp

memory/2036-153-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-156-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-154-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-158-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-160-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-162-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-164-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-166-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-168-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-170-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-172-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-174-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-176-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-178-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-180-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/2036-181-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2036-182-0x0000000007280000-0x0000000007290000-memory.dmp

memory/2036-183-0x0000000007280000-0x0000000007290000-memory.dmp

memory/2036-184-0x0000000007280000-0x0000000007290000-memory.dmp

memory/2036-186-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe

MD5 eadd8ff67f7fd246be33d6a1a5cedbc8
SHA1 946299436c436942683bf78b6e2a45098077411e
SHA256 7a5278fb7f31f95af5a0cd775707fbcb6b6dd61b915405a996127643d5892af5
SHA512 c28fce2a0833fe3cea3dca39ab0e0a1ba9b10dc41f6f1343187fd50b7d799aac491b8884b75ae25d36a0f258c02dfacbb00d8e4931f77356a622036ed2aaf073

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu494956.exe

MD5 eadd8ff67f7fd246be33d6a1a5cedbc8
SHA1 946299436c436942683bf78b6e2a45098077411e
SHA256 7a5278fb7f31f95af5a0cd775707fbcb6b6dd61b915405a996127643d5892af5
SHA512 c28fce2a0833fe3cea3dca39ab0e0a1ba9b10dc41f6f1343187fd50b7d799aac491b8884b75ae25d36a0f258c02dfacbb00d8e4931f77356a622036ed2aaf073

memory/3836-191-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-192-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-194-0x0000000002CC0000-0x0000000002D06000-memory.dmp

memory/3836-197-0x0000000007340000-0x0000000007350000-memory.dmp

memory/3836-199-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-200-0x0000000007340000-0x0000000007350000-memory.dmp

memory/3836-198-0x0000000007340000-0x0000000007350000-memory.dmp

memory/3836-202-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-195-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-204-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-206-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-208-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-210-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-214-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-212-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-216-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-218-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-220-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-222-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-224-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-226-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-228-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3836-987-0x0000000009C80000-0x000000000A298000-memory.dmp

memory/3836-988-0x000000000A320000-0x000000000A332000-memory.dmp

memory/3836-989-0x000000000A340000-0x000000000A44A000-memory.dmp

memory/3836-990-0x000000000A460000-0x000000000A49C000-memory.dmp

memory/3836-991-0x0000000007340000-0x0000000007350000-memory.dmp

memory/3836-992-0x000000000A760000-0x000000000A7C6000-memory.dmp

memory/3836-993-0x000000000AE20000-0x000000000AEB2000-memory.dmp

memory/3836-994-0x000000000AFE0000-0x000000000B030000-memory.dmp

memory/3836-995-0x000000000B040000-0x000000000B0B6000-memory.dmp

memory/3836-996-0x000000000B120000-0x000000000B2E2000-memory.dmp

memory/3836-997-0x000000000B300000-0x000000000B82C000-memory.dmp

memory/3836-998-0x000000000B930000-0x000000000B94E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272452.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/740-1004-0x0000000000020000-0x0000000000048000-memory.dmp

memory/740-1005-0x0000000006E50000-0x0000000006E60000-memory.dmp