Malware Analysis Report

2025-08-05 17:20

Sample ID 230423-3rdm9aab6t
Target 87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381
SHA256 87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381

Threat Level: Known bad

The file 87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:44

Reported

2023-04-23 23:47

Platform

win10-20230220-en

Max time kernel

53s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300830.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr110460.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe
PID 2408 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe
PID 2408 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe
PID 3016 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe
PID 3016 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe
PID 3016 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300830.exe
PID 3016 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300830.exe
PID 3016 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300830.exe
PID 2408 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr110460.exe
PID 2408 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr110460.exe
PID 2408 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr110460.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe

"C:\Users\Admin\AppData\Local\Temp\87883c8b47d5376f253a281432e12a40dcacbdbe44a2b65af4b007e56477d381.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300830.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300830.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr110460.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr110460.exe

Network

Country Destination Domain Proto
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 20.189.173.7:443 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe

MD5 31c9f92e60429bd11d92d11300439bba
SHA1 d2c1b1be345111a644ec94b1bef5454a97ae2684
SHA256 e762672ac443cbf80253ea06bcf69a45d1a7246afa0a30ce0cf00fe360a18492
SHA512 f2f7851a838a94212ade23b1d530364f7a7fc8c0fe81835d3e12a6441052131c20c2bfa9093b56608186463081fab85c6bf5e18d8732c5490174ae7b78e51d41

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwb8250.exe

MD5 31c9f92e60429bd11d92d11300439bba
SHA1 d2c1b1be345111a644ec94b1bef5454a97ae2684
SHA256 e762672ac443cbf80253ea06bcf69a45d1a7246afa0a30ce0cf00fe360a18492
SHA512 f2f7851a838a94212ade23b1d530364f7a7fc8c0fe81835d3e12a6441052131c20c2bfa9093b56608186463081fab85c6bf5e18d8732c5490174ae7b78e51d41

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it459475.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2968-135-0x0000000000B20000-0x0000000000B2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300830.exe

MD5 dabc83967b13f93f6ad7030670809fba
SHA1 f22a07898a2de623acb556574685a74feb2b1ca7
SHA256 29c26d9dd2fe4f6f61a8e355eac7eb15d184868f6135deca2245dde4b133ea8c
SHA512 52dd684611ec29c9a73edda75ca1935e06e0ac2578f3209ecbc9ccf38b91256eee181fa11d3537f5488277c02446696f9978f03df51725546e45c175033cf15f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp300830.exe

MD5 dabc83967b13f93f6ad7030670809fba
SHA1 f22a07898a2de623acb556574685a74feb2b1ca7
SHA256 29c26d9dd2fe4f6f61a8e355eac7eb15d184868f6135deca2245dde4b133ea8c
SHA512 52dd684611ec29c9a73edda75ca1935e06e0ac2578f3209ecbc9ccf38b91256eee181fa11d3537f5488277c02446696f9978f03df51725546e45c175033cf15f

memory/3916-141-0x0000000004970000-0x00000000049AC000-memory.dmp

memory/3916-142-0x00000000071F0000-0x00000000076EE000-memory.dmp

memory/3916-143-0x0000000002CE0000-0x0000000002D26000-memory.dmp

memory/3916-145-0x0000000004C10000-0x0000000004C4A000-memory.dmp

memory/3916-144-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/3916-146-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/3916-147-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/3916-148-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-149-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-151-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-153-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-155-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-157-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-159-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-161-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-163-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-165-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-167-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-169-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-171-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-173-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-175-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-177-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-179-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-181-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-183-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-185-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-187-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-189-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-191-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-193-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-195-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-197-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-199-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-201-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-203-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-205-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-207-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-209-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-211-0x0000000004C10000-0x0000000004C45000-memory.dmp

memory/3916-940-0x000000000A1C0000-0x000000000A7C6000-memory.dmp

memory/3916-941-0x0000000009C00000-0x0000000009C12000-memory.dmp

memory/3916-942-0x0000000009C30000-0x0000000009D3A000-memory.dmp

memory/3916-943-0x0000000009D50000-0x0000000009D8E000-memory.dmp

memory/3916-944-0x0000000009ED0000-0x0000000009F1B000-memory.dmp

memory/3916-945-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/3916-946-0x000000000A060000-0x000000000A0C6000-memory.dmp

memory/3916-947-0x000000000AD20000-0x000000000ADB2000-memory.dmp

memory/3916-948-0x000000000ADD0000-0x000000000AE20000-memory.dmp

memory/3916-949-0x000000000AE40000-0x000000000AEB6000-memory.dmp

memory/3916-950-0x000000000AF10000-0x000000000B0D2000-memory.dmp

memory/3916-951-0x000000000B0E0000-0x000000000B60C000-memory.dmp

memory/3916-952-0x000000000B740000-0x000000000B75E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr110460.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr110460.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/912-958-0x0000000000A70000-0x0000000000A98000-memory.dmp

memory/912-959-0x0000000007820000-0x000000000786B000-memory.dmp

memory/912-960-0x0000000007790000-0x00000000077A0000-memory.dmp