Malware Analysis Report

2025-08-05 17:19

Sample ID 230423-3wy5raab9s
Target 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06
SHA256 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06

Threat Level: Known bad

The file 8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:52

Reported

2023-04-23 23:55

Platform

win10-20230220-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe
PID 2036 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe
PID 2036 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe
PID 2276 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe
PID 2276 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe
PID 2276 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe
PID 2276 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe
PID 2276 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe
PID 2276 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe
PID 2036 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe
PID 2036 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe
PID 2036 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe

"C:\Users\Admin\AppData\Local\Temp\8f2036bf2492f11fce4f91a5e97ffa90b69fb13fdd8aa20363f1ef5b24167e06.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe

Network

Country Destination Domain Proto
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe

MD5 3800a36c0c2a4d999037b2d3ce325ba0
SHA1 6c63db5220b9411cde02a9b5580be7abba9fcfce
SHA256 b6f536d5314262767b10303dcd98f9b4b1f77b0581dc7ce771713b2c07d3825f
SHA512 ecafe2a456171627f3b57f1b3a0b673e9a7a3b95a4cd19014c3e826a5b75aae79a75bab647c97cc677ae4ecc84fa70978abe19292bc7d9ae544eab4fd43b6e0d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un188790.exe

MD5 3800a36c0c2a4d999037b2d3ce325ba0
SHA1 6c63db5220b9411cde02a9b5580be7abba9fcfce
SHA256 b6f536d5314262767b10303dcd98f9b4b1f77b0581dc7ce771713b2c07d3825f
SHA512 ecafe2a456171627f3b57f1b3a0b673e9a7a3b95a4cd19014c3e826a5b75aae79a75bab647c97cc677ae4ecc84fa70978abe19292bc7d9ae544eab4fd43b6e0d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe

MD5 4be8a568f93bf2995daa47cb7bf9ad5a
SHA1 5d00444619088871dd53c51d6b6fce214600b122
SHA256 77e93cecdd070e526425fd39ff9603528dd54f19a2d1b24386fcaea3542f4af1
SHA512 7d9d27f1d8ae45155bf39c2ddb2d2b170edc561b13c79e8fc066e9d73f3100aca341af8232c9fde6252e6c46c8cd2e08758b0d014839e7a560fc014fda98f61c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr965475.exe

MD5 4be8a568f93bf2995daa47cb7bf9ad5a
SHA1 5d00444619088871dd53c51d6b6fce214600b122
SHA256 77e93cecdd070e526425fd39ff9603528dd54f19a2d1b24386fcaea3542f4af1
SHA512 7d9d27f1d8ae45155bf39c2ddb2d2b170edc561b13c79e8fc066e9d73f3100aca341af8232c9fde6252e6c46c8cd2e08758b0d014839e7a560fc014fda98f61c

memory/2392-136-0x0000000004A30000-0x0000000004A4A000-memory.dmp

memory/2392-137-0x00000000073A0000-0x000000000789E000-memory.dmp

memory/2392-138-0x0000000004A60000-0x0000000004A78000-memory.dmp

memory/2392-139-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-140-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-146-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-144-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-142-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-148-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-150-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-154-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-161-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/2392-158-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-160-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-162-0x0000000007390000-0x00000000073A0000-memory.dmp

memory/2392-156-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-165-0x0000000007390000-0x00000000073A0000-memory.dmp

memory/2392-164-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-168-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-167-0x0000000007390000-0x00000000073A0000-memory.dmp

memory/2392-152-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-170-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2392-171-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2392-175-0x0000000007390000-0x00000000073A0000-memory.dmp

memory/2392-173-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2392-176-0x0000000007390000-0x00000000073A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe

MD5 0b1441c8e9880dceaeb09f46e8bdcc29
SHA1 d34ddb646f520fca722850f2ce8142f3cc96d0be
SHA256 f21b4e07e05cef7391656e70ae2411fd5f2ca34f7ab779ae5734043e642d9abf
SHA512 7fd63f87ece5caf5254ba270ad9e1dcc43bc52812ebe79bb6f644da4d0b9170225b0994d31e391e6cf42d09c8bc3f4957dc8d7bae2cf294adaa134c343398d2a

memory/2392-174-0x0000000007390000-0x00000000073A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu879277.exe

MD5 0b1441c8e9880dceaeb09f46e8bdcc29
SHA1 d34ddb646f520fca722850f2ce8142f3cc96d0be
SHA256 f21b4e07e05cef7391656e70ae2411fd5f2ca34f7ab779ae5734043e642d9abf
SHA512 7fd63f87ece5caf5254ba270ad9e1dcc43bc52812ebe79bb6f644da4d0b9170225b0994d31e391e6cf42d09c8bc3f4957dc8d7bae2cf294adaa134c343398d2a

memory/4876-181-0x0000000004A80000-0x0000000004ABC000-memory.dmp

memory/4876-182-0x0000000007180000-0x00000000071BA000-memory.dmp

memory/4876-183-0x0000000002BD0000-0x0000000002C16000-memory.dmp

memory/4876-185-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-188-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/4876-190-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-192-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-187-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-186-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/4876-194-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-184-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/4876-196-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-198-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-202-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-200-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-204-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-206-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-208-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-210-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-212-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-214-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-216-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-218-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-220-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4876-979-0x000000000A1C0000-0x000000000A7C6000-memory.dmp

memory/4876-980-0x0000000009C00000-0x0000000009C12000-memory.dmp

memory/4876-981-0x0000000009C30000-0x0000000009D3A000-memory.dmp

memory/4876-982-0x0000000009D50000-0x0000000009D8E000-memory.dmp

memory/4876-983-0x0000000009DD0000-0x0000000009E1B000-memory.dmp

memory/4876-984-0x00000000071E0000-0x00000000071F0000-memory.dmp

memory/4876-985-0x000000000A060000-0x000000000A0C6000-memory.dmp

memory/4876-986-0x000000000AD30000-0x000000000ADC2000-memory.dmp

memory/4876-987-0x000000000AED0000-0x000000000AF20000-memory.dmp

memory/4876-988-0x000000000AF40000-0x000000000AFB6000-memory.dmp

memory/4876-989-0x000000000AFE0000-0x000000000AFFE000-memory.dmp

memory/4876-991-0x000000000B0A0000-0x000000000B262000-memory.dmp

memory/4876-992-0x000000000B280000-0x000000000B7AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si747876.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/1840-998-0x0000000000650000-0x0000000000678000-memory.dmp

memory/1840-999-0x00000000073D0000-0x000000000741B000-memory.dmp

memory/1840-1000-0x0000000007420000-0x0000000007430000-memory.dmp