Malware Analysis Report

2025-08-05 17:20

Sample ID 230423-3sb6taab6x
Target cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06
SHA256 cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06

Threat Level: Known bad

The file cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Reads user/profile data of web browsers

Windows security modification

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:46

Reported

2023-04-23 23:48

Platform

win10-20230220-en

Max time kernel

56s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe
PID 2392 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe
PID 2392 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe
PID 2488 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe
PID 2488 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe
PID 2488 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe
PID 2488 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe
PID 2488 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe
PID 2488 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe
PID 2392 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe
PID 2392 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe
PID 2392 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe

"C:\Users\Admin\AppData\Local\Temp\cdcbdb8e8f2b57c92d32589475c43a274b83aa0ad96689004b6ce87ee79daf06.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe

Network

Country Destination Domain Proto
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe

MD5 c332b51782cb7cf1d27e6b3605b419aa
SHA1 007ffecc0c769c8f7aa7c4ee761bb0037106192e
SHA256 97eb4b0018aa7b9c6f8f8814b3d4f89eee13054a6ad613701e32597edbc18226
SHA512 b6d7f172f70a8ee50028e1e47962fbc9a560888d67deaed7de91befd9296427f2ceaf1cb97603a2b944e097755b80cebaa4ab232fb868401907b877b8a5e46b3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un964890.exe

MD5 c332b51782cb7cf1d27e6b3605b419aa
SHA1 007ffecc0c769c8f7aa7c4ee761bb0037106192e
SHA256 97eb4b0018aa7b9c6f8f8814b3d4f89eee13054a6ad613701e32597edbc18226
SHA512 b6d7f172f70a8ee50028e1e47962fbc9a560888d67deaed7de91befd9296427f2ceaf1cb97603a2b944e097755b80cebaa4ab232fb868401907b877b8a5e46b3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe

MD5 e2e38523ee959ad508786fab77e95adf
SHA1 374580d357a6c2be50383738c4b6cc8aabe8e09a
SHA256 a8dd6b575680127f553c1f672ab35141ae0a27bd4f6f6880af3e5c0762718a0a
SHA512 07d3829fbc9ba602d4773949bdf7fdb6dfe9e0beffde66281a25eed7d82bedce08c5b91f7dc4620acc44b53bdab4e5e2b2a1e1a5bfa8746cb4051866c139d809

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr085756.exe

MD5 e2e38523ee959ad508786fab77e95adf
SHA1 374580d357a6c2be50383738c4b6cc8aabe8e09a
SHA256 a8dd6b575680127f553c1f672ab35141ae0a27bd4f6f6880af3e5c0762718a0a
SHA512 07d3829fbc9ba602d4773949bdf7fdb6dfe9e0beffde66281a25eed7d82bedce08c5b91f7dc4620acc44b53bdab4e5e2b2a1e1a5bfa8746cb4051866c139d809

memory/2812-136-0x0000000004670000-0x000000000468A000-memory.dmp

memory/2812-137-0x0000000007350000-0x000000000784E000-memory.dmp

memory/2812-138-0x00000000047C0000-0x00000000047D8000-memory.dmp

memory/2812-139-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/2812-140-0x0000000007340000-0x0000000007350000-memory.dmp

memory/2812-143-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-142-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-141-0x0000000007340000-0x0000000007350000-memory.dmp

memory/2812-144-0x0000000007340000-0x0000000007350000-memory.dmp

memory/2812-146-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-150-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-152-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-156-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-162-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-168-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-166-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-170-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-164-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-160-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-158-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-154-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-148-0x00000000047C0000-0x00000000047D2000-memory.dmp

memory/2812-171-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2812-174-0x0000000007340000-0x0000000007350000-memory.dmp

memory/2812-175-0x0000000007340000-0x0000000007350000-memory.dmp

memory/2812-173-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2812-176-0x0000000007340000-0x0000000007350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe

MD5 8d66a3b8048b0b447154ab28d2e7711d
SHA1 77b618e270091d30f213aafdd19b40ca67a46691
SHA256 7cdfe6e5c611408910f6f418ef987cc38e4018398cfbf3a5e5247132b4d6c7c7
SHA512 371badf163248d263a48da4c14048bc7f4b0183035500266d34ab88a29c5219973140029eadf4cd7ba915b203ba8fe9f07d62a32f60036386b477f877fc18335

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu822990.exe

MD5 8d66a3b8048b0b447154ab28d2e7711d
SHA1 77b618e270091d30f213aafdd19b40ca67a46691
SHA256 7cdfe6e5c611408910f6f418ef987cc38e4018398cfbf3a5e5247132b4d6c7c7
SHA512 371badf163248d263a48da4c14048bc7f4b0183035500266d34ab88a29c5219973140029eadf4cd7ba915b203ba8fe9f07d62a32f60036386b477f877fc18335

memory/3652-181-0x0000000004890000-0x00000000048CC000-memory.dmp

memory/3652-182-0x0000000004940000-0x000000000497A000-memory.dmp

memory/3652-183-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-184-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-186-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-188-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-190-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-192-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-194-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-196-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-198-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-200-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-202-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-204-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-206-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-210-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-208-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-212-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-216-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-214-0x0000000004940000-0x0000000004975000-memory.dmp

memory/3652-223-0x0000000002E10000-0x0000000002E56000-memory.dmp

memory/3652-225-0x0000000007330000-0x0000000007340000-memory.dmp

memory/3652-227-0x0000000007330000-0x0000000007340000-memory.dmp

memory/3652-978-0x0000000009BC0000-0x000000000A1C6000-memory.dmp

memory/3652-979-0x000000000A210000-0x000000000A222000-memory.dmp

memory/3652-980-0x000000000A240000-0x000000000A34A000-memory.dmp

memory/3652-981-0x000000000A360000-0x000000000A39E000-memory.dmp

memory/3652-982-0x000000000A4E0000-0x000000000A52B000-memory.dmp

memory/3652-983-0x0000000007330000-0x0000000007340000-memory.dmp

memory/3652-984-0x000000000A670000-0x000000000A6D6000-memory.dmp

memory/3652-985-0x000000000AD30000-0x000000000ADC2000-memory.dmp

memory/3652-987-0x000000000B020000-0x000000000B096000-memory.dmp

memory/3652-988-0x000000000B0D0000-0x000000000B0EE000-memory.dmp

memory/3652-989-0x000000000B180000-0x000000000B1D0000-memory.dmp

memory/3652-990-0x000000000B1F0000-0x000000000B3B2000-memory.dmp

memory/3652-991-0x000000000B3C0000-0x000000000B8EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si053447.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/2500-997-0x0000000000210000-0x0000000000238000-memory.dmp

memory/2500-998-0x0000000006F90000-0x0000000006FDB000-memory.dmp

memory/2500-999-0x00000000072B0000-0x00000000072C0000-memory.dmp