Malware Analysis Report

2025-08-05 17:20

Sample ID 230423-3vnmmaab8w
Target 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e
SHA256 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e

Threat Level: Known bad

The file 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Reads user/profile data of web browsers

Windows security modification

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:50

Reported

2023-04-23 23:52

Platform

win10-20230220-en

Max time kernel

54s

Max time network

71s

Command Line

"C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3240 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe
PID 3240 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe
PID 3240 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe
PID 3372 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe
PID 3372 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe
PID 3372 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe
PID 3372 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe
PID 3372 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe
PID 3372 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe
PID 3240 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe
PID 3240 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe
PID 3240 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe

Processes

C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe

"C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe

Network

Country Destination Domain Proto
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 20.189.173.12:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe

MD5 592280f75e4c1d6252c30fcd978b428b
SHA1 6590d2b253f55789079e2fcfedb2d2d0cf8ed919
SHA256 35009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351
SHA512 564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe

MD5 592280f75e4c1d6252c30fcd978b428b
SHA1 6590d2b253f55789079e2fcfedb2d2d0cf8ed919
SHA256 35009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351
SHA512 564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

MD5 ea129ae4e2eec913a0abb8a1860e383d
SHA1 cc11444a5348d0948ccfb353ddfc0199d4f79897
SHA256 faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752
SHA512 88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

MD5 ea129ae4e2eec913a0abb8a1860e383d
SHA1 cc11444a5348d0948ccfb353ddfc0199d4f79897
SHA256 faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752
SHA512 88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a

memory/4168-136-0x0000000004BF0000-0x0000000004C0A000-memory.dmp

memory/4168-135-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

memory/4168-137-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/4168-138-0x00000000070B0000-0x00000000075AE000-memory.dmp

memory/4168-139-0x00000000075F0000-0x0000000007608000-memory.dmp

memory/4168-140-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-141-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-143-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-145-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-147-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-149-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-151-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-153-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-155-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-157-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-159-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-161-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-163-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-165-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-167-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/4168-169-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/4168-168-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/4168-170-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/4168-171-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/4168-173-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/4168-174-0x0000000004C30000-0x0000000004C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

MD5 dbd9429a188264660be8c2063838216e
SHA1 0755dfb277703fc264026eedffa4d6ce2f211536
SHA256 4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9
SHA512 60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

MD5 dbd9429a188264660be8c2063838216e
SHA1 0755dfb277703fc264026eedffa4d6ce2f211536
SHA256 4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9
SHA512 60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513

memory/3160-179-0x0000000004BA0000-0x0000000004BDC000-memory.dmp

memory/3160-180-0x00000000070B0000-0x00000000070EA000-memory.dmp

memory/3160-184-0x0000000007160000-0x0000000007170000-memory.dmp

memory/3160-183-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-186-0x0000000007160000-0x0000000007170000-memory.dmp

memory/3160-188-0x0000000007160000-0x0000000007170000-memory.dmp

memory/3160-190-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-187-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-182-0x0000000002CE0000-0x0000000002D26000-memory.dmp

memory/3160-181-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-192-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-194-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-196-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-198-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-200-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-202-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-204-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-206-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-208-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-210-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-212-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-214-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-216-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-218-0x00000000070B0000-0x00000000070E5000-memory.dmp

memory/3160-977-0x000000000A200000-0x000000000A806000-memory.dmp

memory/3160-978-0x0000000007130000-0x0000000007142000-memory.dmp

memory/3160-979-0x0000000009C30000-0x0000000009D3A000-memory.dmp

memory/3160-980-0x0000000007160000-0x0000000007170000-memory.dmp

memory/3160-981-0x0000000009D50000-0x0000000009D8E000-memory.dmp

memory/3160-982-0x0000000009ED0000-0x0000000009F1B000-memory.dmp

memory/3160-983-0x000000000A060000-0x000000000A0C6000-memory.dmp

memory/3160-984-0x000000000AD30000-0x000000000ADC2000-memory.dmp

memory/3160-985-0x000000000ADD0000-0x000000000AE20000-memory.dmp

memory/3160-986-0x000000000AE40000-0x000000000AEB6000-memory.dmp

memory/3160-987-0x000000000AFE0000-0x000000000AFFE000-memory.dmp

memory/3160-988-0x000000000B0B0000-0x000000000B272000-memory.dmp

memory/3160-989-0x000000000B280000-0x000000000B7AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142239.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/3780-995-0x0000000000C10000-0x0000000000C38000-memory.dmp

memory/3780-996-0x0000000007990000-0x00000000079DB000-memory.dmp

memory/3780-997-0x0000000007D20000-0x0000000007D30000-memory.dmp