Malware Analysis Report

2025-08-05 17:19

Sample ID 230423-3v8mssab8z
Target 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d
SHA256 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d

Threat Level: Known bad

The file 9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:51

Reported

2023-04-23 23:53

Platform

win10v2004-20230220-en

Max time kernel

60s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe
PID 1280 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe
PID 1280 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe
PID 5028 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe
PID 5028 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe
PID 5028 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe
PID 5028 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe
PID 5028 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe
PID 5028 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe
PID 1280 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe
PID 1280 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe
PID 1280 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe

"C:\Users\Admin\AppData\Local\Temp\9e51f9834bfc8268528230a7a40ffe292ac3a08ac2149273db3fa51c22661c8d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4208 -ip 4208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1340

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 40.77.2.164:443 tcp
US 13.89.179.9:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe

MD5 82ec6afdd501c9a3c905a8898780e346
SHA1 aaff301fc96ab46ee46e83a15a3b3b272cdc942a
SHA256 7e78e6c2ac3add67b6ba629bc39da526e12cd5c4425b4e66282b71636074028c
SHA512 0589875ab791438dfcea223d03b287a8fc81809ed87805e1fc56a050d9380e040db6624e17e978aecb33b88b90fb54f0c89f2b7ebf3333a193297298e7c79960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un205020.exe

MD5 82ec6afdd501c9a3c905a8898780e346
SHA1 aaff301fc96ab46ee46e83a15a3b3b272cdc942a
SHA256 7e78e6c2ac3add67b6ba629bc39da526e12cd5c4425b4e66282b71636074028c
SHA512 0589875ab791438dfcea223d03b287a8fc81809ed87805e1fc56a050d9380e040db6624e17e978aecb33b88b90fb54f0c89f2b7ebf3333a193297298e7c79960

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe

MD5 f044fcaeb9896ee1fdb250673ffd63e6
SHA1 5955d1441c9160a49e37cf27f0db01490cef87b6
SHA256 681980a7ad175640cdbbe69864de16b1bef0645f13e67451548d51a64540bdbe
SHA512 623200c0c4e5045bfbee376a2e79c92ed988f98c6bac84be0e5799fc981272cbf4460daf8c3c3f854ff2849fb2af1b44ea4a58e7f4bf2a782e3e33ca76b87b8a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr738755.exe

MD5 f044fcaeb9896ee1fdb250673ffd63e6
SHA1 5955d1441c9160a49e37cf27f0db01490cef87b6
SHA256 681980a7ad175640cdbbe69864de16b1bef0645f13e67451548d51a64540bdbe
SHA512 623200c0c4e5045bfbee376a2e79c92ed988f98c6bac84be0e5799fc981272cbf4460daf8c3c3f854ff2849fb2af1b44ea4a58e7f4bf2a782e3e33ca76b87b8a

memory/4208-148-0x0000000007400000-0x00000000079A4000-memory.dmp

memory/4208-149-0x0000000002C80000-0x0000000002CAD000-memory.dmp

memory/4208-150-0x00000000073F0000-0x0000000007400000-memory.dmp

memory/4208-151-0x00000000073F0000-0x0000000007400000-memory.dmp

memory/4208-152-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-155-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-153-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-157-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-159-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-161-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-163-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-165-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-167-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-169-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-171-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-173-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-175-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-177-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-179-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/4208-180-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/4208-181-0x00000000073F0000-0x0000000007400000-memory.dmp

memory/4208-183-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe

MD5 2c02b728f5fb060ee8a6fd76046e45cd
SHA1 998885f23a9539a6c71b43255267f6ce1194819a
SHA256 d00ba9249944a9e3633b03dfcc9ccf5852d0b8c47f9c25b894cdf88152ba1d9d
SHA512 51de1081544044d3f6ffc97146ce2ed47c637087c8f391edcdc03ee7dd1850027cff0c3c23bd7b032c6e89bc2e8cfc8a2f8d2e1a5a3f2ff21075ad0c6226bbde

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu868364.exe

MD5 2c02b728f5fb060ee8a6fd76046e45cd
SHA1 998885f23a9539a6c71b43255267f6ce1194819a
SHA256 d00ba9249944a9e3633b03dfcc9ccf5852d0b8c47f9c25b894cdf88152ba1d9d
SHA512 51de1081544044d3f6ffc97146ce2ed47c637087c8f391edcdc03ee7dd1850027cff0c3c23bd7b032c6e89bc2e8cfc8a2f8d2e1a5a3f2ff21075ad0c6226bbde

memory/4628-188-0x0000000002CE0000-0x0000000002D26000-memory.dmp

memory/4628-189-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-191-0x0000000007200000-0x0000000007210000-memory.dmp

memory/4628-190-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-195-0x0000000007200000-0x0000000007210000-memory.dmp

memory/4628-194-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-192-0x0000000007200000-0x0000000007210000-memory.dmp

memory/4628-197-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-199-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-201-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-203-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-205-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-207-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-209-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-211-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-213-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-215-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-217-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-219-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-221-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-223-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-225-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/4628-984-0x0000000009C80000-0x000000000A298000-memory.dmp

memory/4628-985-0x000000000A320000-0x000000000A332000-memory.dmp

memory/4628-986-0x000000000A340000-0x000000000A44A000-memory.dmp

memory/4628-987-0x000000000A460000-0x000000000A49C000-memory.dmp

memory/4628-988-0x0000000007200000-0x0000000007210000-memory.dmp

memory/4628-989-0x000000000A760000-0x000000000A7C6000-memory.dmp

memory/4628-990-0x000000000AE20000-0x000000000AEB2000-memory.dmp

memory/4628-991-0x000000000AFF0000-0x000000000B066000-memory.dmp

memory/4628-992-0x000000000B0D0000-0x000000000B292000-memory.dmp

memory/4628-993-0x000000000B2A0000-0x000000000B7CC000-memory.dmp

memory/4628-995-0x000000000B8E0000-0x000000000B8FE000-memory.dmp

memory/4628-996-0x0000000006B50000-0x0000000006BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si330234.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/1500-1002-0x00000000009D0000-0x00000000009F8000-memory.dmp

memory/1500-1003-0x0000000007A60000-0x0000000007A70000-memory.dmp