Malware Analysis Report

2025-08-05 17:19

Sample ID 230423-3svyxsab61
Target a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856
SHA256 a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856

Threat Level: Known bad

The file a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:47

Reported

2023-04-23 23:49

Platform

win10-20230220-en

Max time kernel

54s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe
PID 3076 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe
PID 3076 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe
PID 3276 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe
PID 3276 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe
PID 3276 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe
PID 3276 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe
PID 3276 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe
PID 3076 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe
PID 3076 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe
PID 3076 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe

"C:\Users\Admin\AppData\Local\Temp\a7626e55e8539a6d1b01e1d05bf884b8b7ffa990cfd62cb29dcb298a89faa856.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe

Network

Country Destination Domain Proto
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 20.189.173.12:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe

MD5 5151982b85228606a718116d4790f4d0
SHA1 c73b79689d5b810f1ff7556da0a7f2da91a2f3fa
SHA256 67209925b30d7ff6935c209341ad3b7f070e26ee17753fc4ce3775d9664a418b
SHA512 23ecf0aa325c649d1b611f3cecdaeb2e3d51ac023ad4ad9ab237406f22d74ecc8d69fa73f1571ecdd425a09fe3d4e2225672a8e218647f9f6653a66b4ffcea3e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirJ5650.exe

MD5 5151982b85228606a718116d4790f4d0
SHA1 c73b79689d5b810f1ff7556da0a7f2da91a2f3fa
SHA256 67209925b30d7ff6935c209341ad3b7f070e26ee17753fc4ce3775d9664a418b
SHA512 23ecf0aa325c649d1b611f3cecdaeb2e3d51ac023ad4ad9ab237406f22d74ecc8d69fa73f1571ecdd425a09fe3d4e2225672a8e218647f9f6653a66b4ffcea3e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it830143.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3748-134-0x00000000000F0000-0x00000000000FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe

MD5 e090763a72c191b237f19756229c5ee0
SHA1 4508610e7c287ba7b52eef6119d8a5ad8e32c7c8
SHA256 56746625235f6431dc5565ce6fadb6595f495acb6691ac429d3ca3a5eddd0a39
SHA512 7eef90551480d92b150b741076469d2cb0353f76d0e01161521dd89e050eefc57e449e39ddd4f15e9b3fda857e5ac426fffdb723645df471c4251cc2872df5b5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp122533.exe

MD5 e090763a72c191b237f19756229c5ee0
SHA1 4508610e7c287ba7b52eef6119d8a5ad8e32c7c8
SHA256 56746625235f6431dc5565ce6fadb6595f495acb6691ac429d3ca3a5eddd0a39
SHA512 7eef90551480d92b150b741076469d2cb0353f76d0e01161521dd89e050eefc57e449e39ddd4f15e9b3fda857e5ac426fffdb723645df471c4251cc2872df5b5

memory/4140-140-0x0000000004AE0000-0x0000000004B1C000-memory.dmp

memory/4140-141-0x0000000002BD0000-0x0000000002C16000-memory.dmp

memory/4140-142-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/4140-143-0x0000000007150000-0x000000000764E000-memory.dmp

memory/4140-144-0x0000000007690000-0x00000000076CA000-memory.dmp

memory/4140-145-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-146-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-148-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-150-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-152-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-154-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-156-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-158-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-160-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-162-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-164-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-166-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-168-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-170-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-172-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-174-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-176-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-178-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-180-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-182-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-184-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-186-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-187-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/4140-190-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/4140-189-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-192-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-194-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-196-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-198-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-200-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-202-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-204-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-206-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-208-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-210-0x0000000007690000-0x00000000076C5000-memory.dmp

memory/4140-939-0x000000000A1A0000-0x000000000A7A6000-memory.dmp

memory/4140-940-0x0000000009C00000-0x0000000009C12000-memory.dmp

memory/4140-941-0x0000000009C30000-0x0000000009D3A000-memory.dmp

memory/4140-942-0x0000000009D50000-0x0000000009D8E000-memory.dmp

memory/4140-943-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/4140-944-0x0000000009ED0000-0x0000000009F1B000-memory.dmp

memory/4140-945-0x000000000A060000-0x000000000A0C6000-memory.dmp

memory/4140-946-0x000000000AD20000-0x000000000ADB2000-memory.dmp

memory/4140-947-0x000000000ADE0000-0x000000000AE56000-memory.dmp

memory/4140-948-0x000000000AEB0000-0x000000000B072000-memory.dmp

memory/4140-949-0x000000000B090000-0x000000000B5BC000-memory.dmp

memory/4140-950-0x000000000B6D0000-0x000000000B6EE000-memory.dmp

memory/4140-951-0x0000000006CB0000-0x0000000006D00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr662247.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/2608-957-0x00000000002D0000-0x00000000002F8000-memory.dmp

memory/2608-958-0x0000000007050000-0x000000000709B000-memory.dmp

memory/2608-959-0x0000000007340000-0x0000000007350000-memory.dmp