Malware Analysis Report

2025-08-05 17:20

Sample ID 230423-3qx1haab5z
Target 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177
SHA256 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177

Threat Level: Known bad

The file 54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:43

Reported

2023-04-23 23:46

Platform

win10v2004-20230220-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1872 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe
PID 1872 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe
PID 1872 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe
PID 2124 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe
PID 2124 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe
PID 2124 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe
PID 2124 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe
PID 2124 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe
PID 2124 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe
PID 1872 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe
PID 1872 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe
PID 1872 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe

Processes

C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe

"C:\Users\Admin\AppData\Local\Temp\54d3953f35c44e2b2051a8ce276962bb9ea1d56828b01bf3eab9be4086bec177.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4152 -ip 4152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3256 -ip 3256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 1320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 52.109.8.86:443 tcp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 93.184.221.240:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe

MD5 0e21a29d5c7408ee418d9fcd97584925
SHA1 7c40c2c58f2654a2967eb73bbd64775781be0831
SHA256 129661b1ec5ea757822a11632de2218bb45ab9d4bd2d72eb6ec42a74c5b239b5
SHA512 8e74c4cee3a682545560b8eca44c16623676f2ea4c3d261b380cb6ce8da78287fd2503b4ae773c7cda7bf3c92e98a9b9f65b7cd12f7575e96ac33c6cef5432eb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471591.exe

MD5 0e21a29d5c7408ee418d9fcd97584925
SHA1 7c40c2c58f2654a2967eb73bbd64775781be0831
SHA256 129661b1ec5ea757822a11632de2218bb45ab9d4bd2d72eb6ec42a74c5b239b5
SHA512 8e74c4cee3a682545560b8eca44c16623676f2ea4c3d261b380cb6ce8da78287fd2503b4ae773c7cda7bf3c92e98a9b9f65b7cd12f7575e96ac33c6cef5432eb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe

MD5 f5fbfbfccbbacf005cf34c129effc205
SHA1 3878229f07d89c75d64066c0561c7d2196144e9d
SHA256 c24bc9c5229b5ded0fbf35a0e9fee72a807d63d815b12ac9dd4482df462a87f3
SHA512 2e8e30cab3d1d97a6f41f633aa9f991caf7ec1175afeb5caeb6a2484baaa7088a908160955c364e4629241cb8b40aa7a945dc61086cae900ac0ab3b26d4fdfee

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr710256.exe

MD5 f5fbfbfccbbacf005cf34c129effc205
SHA1 3878229f07d89c75d64066c0561c7d2196144e9d
SHA256 c24bc9c5229b5ded0fbf35a0e9fee72a807d63d815b12ac9dd4482df462a87f3
SHA512 2e8e30cab3d1d97a6f41f633aa9f991caf7ec1175afeb5caeb6a2484baaa7088a908160955c364e4629241cb8b40aa7a945dc61086cae900ac0ab3b26d4fdfee

memory/4152-148-0x0000000002C80000-0x0000000002CAD000-memory.dmp

memory/4152-149-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/4152-150-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/4152-151-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/4152-152-0x0000000007300000-0x00000000078A4000-memory.dmp

memory/4152-153-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-154-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-156-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-158-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-160-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-162-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-164-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-172-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-174-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-170-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-168-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-166-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-176-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-178-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-180-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/4152-181-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/4152-183-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/4152-182-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/4152-184-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/4152-186-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe

MD5 13a9c82af38ddf94bc6f2a30af71d7a4
SHA1 e080b8f66e1c736ed78aae2040abcae2245282ba
SHA256 aa1095d1c0aa6acabde596cb96991da56be53d8b4ed7ee22474cbedcbb140cc6
SHA512 ae6685adba118d1522a8882825005b9ef989e968b8996e48339af4d421f9efe8cee7d995a243f7b1baebab25f60e22fb2f106d90228ebddb90d6b64e8a30d91c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu652464.exe

MD5 13a9c82af38ddf94bc6f2a30af71d7a4
SHA1 e080b8f66e1c736ed78aae2040abcae2245282ba
SHA256 aa1095d1c0aa6acabde596cb96991da56be53d8b4ed7ee22474cbedcbb140cc6
SHA512 ae6685adba118d1522a8882825005b9ef989e968b8996e48339af4d421f9efe8cee7d995a243f7b1baebab25f60e22fb2f106d90228ebddb90d6b64e8a30d91c

memory/3256-191-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-192-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-194-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-196-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-198-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-200-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-202-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

memory/3256-204-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-203-0x0000000007320000-0x0000000007330000-memory.dmp

memory/3256-205-0x0000000007320000-0x0000000007330000-memory.dmp

memory/3256-208-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-207-0x0000000007320000-0x0000000007330000-memory.dmp

memory/3256-210-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-212-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-214-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-216-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-218-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-220-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-222-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-224-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-226-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-228-0x0000000004B70000-0x0000000004BA5000-memory.dmp

memory/3256-987-0x0000000009C60000-0x000000000A278000-memory.dmp

memory/3256-988-0x000000000A320000-0x000000000A332000-memory.dmp

memory/3256-989-0x000000000A340000-0x000000000A44A000-memory.dmp

memory/3256-990-0x000000000A460000-0x000000000A49C000-memory.dmp

memory/3256-991-0x0000000007320000-0x0000000007330000-memory.dmp

memory/3256-992-0x000000000A760000-0x000000000A7C6000-memory.dmp

memory/3256-993-0x000000000AE30000-0x000000000AEC2000-memory.dmp

memory/3256-994-0x000000000AEE0000-0x000000000AF30000-memory.dmp

memory/3256-995-0x000000000AF40000-0x000000000AFB6000-memory.dmp

memory/3256-996-0x000000000B120000-0x000000000B2E2000-memory.dmp

memory/3256-997-0x000000000B300000-0x000000000B82C000-memory.dmp

memory/3256-998-0x000000000B930000-0x000000000B94E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/3592-1005-0x0000000000440000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558184.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/3592-1006-0x00000000074C0000-0x00000000074D0000-memory.dmp