Malware Analysis Report

2025-08-05 17:20

Sample ID 230423-3t24maab71
Target 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c
SHA256 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c

Threat Level: Known bad

The file 765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:49

Reported

2023-04-23 23:51

Platform

win10-20230220-en

Max time kernel

47s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe
PID 2060 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe
PID 2060 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe
PID 2248 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe
PID 2248 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe
PID 2248 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe
PID 2248 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe
PID 2248 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe
PID 2060 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe
PID 2060 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe
PID 2060 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe

Processes

C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe

"C:\Users\Admin\AppData\Local\Temp\765f651f850fd5eab99d2a690c2afd79ef5c5483fa29d2b9b8347dca3d58c61c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe

Network

Country Destination Domain Proto
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
NL 52.178.17.3:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe

MD5 9624984b0c80a4817ddaf7a2fc58b294
SHA1 d56745ea704ff655d9d8076ae59156a04df437a8
SHA256 3c060adcfd9d8d3d51bf9775bc221871cc64547a18240d2bac20d0968c8f2a00
SHA512 60b95c75b699747545415c830d17fc22ff875b29a9b76d1d8a1483d2bfbdbd61cd287d80dac03bc530c729ce5c82cd9af7c1b2481d1ac690a69dc675f5a59733

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius1826.exe

MD5 9624984b0c80a4817ddaf7a2fc58b294
SHA1 d56745ea704ff655d9d8076ae59156a04df437a8
SHA256 3c060adcfd9d8d3d51bf9775bc221871cc64547a18240d2bac20d0968c8f2a00
SHA512 60b95c75b699747545415c830d17fc22ff875b29a9b76d1d8a1483d2bfbdbd61cd287d80dac03bc530c729ce5c82cd9af7c1b2481d1ac690a69dc675f5a59733

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it326437.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2600-135-0x0000000000690000-0x000000000069A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe

MD5 643e9671a5ba78ad1ae8dc24f8d7c70a
SHA1 ce311b668a8b23ac7b3ed5bc44e0653fa07eb3c1
SHA256 ab97a0dc3fee55085d714eda320aa89d408bae1e9bc5350dcb6f58c61d037a4f
SHA512 7fa1e804f5a2856c14a6997ff3a20de70d9295ff1be2aaa6e2e9895a8b34b746b6f17ee1680e42251529e70386376ceffcfe14b338fa8ec7696bfd83a59f85e0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013838.exe

MD5 643e9671a5ba78ad1ae8dc24f8d7c70a
SHA1 ce311b668a8b23ac7b3ed5bc44e0653fa07eb3c1
SHA256 ab97a0dc3fee55085d714eda320aa89d408bae1e9bc5350dcb6f58c61d037a4f
SHA512 7fa1e804f5a2856c14a6997ff3a20de70d9295ff1be2aaa6e2e9895a8b34b746b6f17ee1680e42251529e70386376ceffcfe14b338fa8ec7696bfd83a59f85e0

memory/2648-141-0x00000000049D0000-0x0000000004A0C000-memory.dmp

memory/2648-142-0x0000000007300000-0x00000000077FE000-memory.dmp

memory/2648-143-0x0000000004D00000-0x0000000004D3A000-memory.dmp

memory/2648-144-0x0000000002DD0000-0x0000000002E16000-memory.dmp

memory/2648-145-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/2648-146-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/2648-147-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/2648-148-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-149-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-153-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-151-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-159-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-157-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-155-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-161-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-163-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-165-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-171-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-169-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-173-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-167-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-175-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-179-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-181-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-177-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-191-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-197-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-195-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-193-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-203-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-201-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-209-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-207-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-205-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-211-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-199-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-189-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-187-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-185-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-183-0x0000000004D00000-0x0000000004D35000-memory.dmp

memory/2648-940-0x0000000009B80000-0x000000000A186000-memory.dmp

memory/2648-941-0x000000000A210000-0x000000000A222000-memory.dmp

memory/2648-942-0x000000000A240000-0x000000000A34A000-memory.dmp

memory/2648-943-0x000000000A360000-0x000000000A39E000-memory.dmp

memory/2648-944-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/2648-945-0x000000000A4E0000-0x000000000A52B000-memory.dmp

memory/2648-946-0x000000000A670000-0x000000000A6D6000-memory.dmp

memory/2648-947-0x000000000AD20000-0x000000000ADB2000-memory.dmp

memory/2648-948-0x000000000AF10000-0x000000000AF86000-memory.dmp

memory/2648-949-0x000000000AFD0000-0x000000000AFEE000-memory.dmp

memory/2648-950-0x000000000B1A0000-0x000000000B362000-memory.dmp

memory/2648-951-0x000000000B370000-0x000000000B89C000-memory.dmp

memory/2648-952-0x0000000004C60000-0x0000000004CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr055601.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/1456-959-0x0000000000C10000-0x0000000000C38000-memory.dmp

memory/1456-960-0x0000000007990000-0x00000000079DB000-memory.dmp

memory/1456-961-0x0000000007C80000-0x0000000007C90000-memory.dmp