Malware Analysis Report

2025-08-05 17:19

Sample ID 230423-3x5zpagf57
Target 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d
SHA256 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d

Threat Level: Known bad

The file 0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:54

Reported

2023-04-23 23:57

Platform

win10v2004-20230221-en

Max time kernel

96s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3684 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe
PID 3684 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe
PID 3684 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe
PID 2120 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe
PID 2120 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe
PID 2120 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe
PID 2120 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe
PID 2120 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe
PID 3684 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe
PID 3684 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe
PID 3684 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe

"C:\Users\Admin\AppData\Local\Temp\0c88306ba907f31428e34d62a437c7cb81e45b09c2a64234b3760dd9e608c10d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2976 -ip 2976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 2016

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 104.208.16.90:443 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe

MD5 dc2d8fdc8d3d46783ae2657058a75791
SHA1 84aeb242bf58ea8cb33f7edcbfde90a9ff9c26fe
SHA256 9bb8049f683d803d4aabac99b19741fdbb28b45c81bed35d666d9f2a08462b0d
SHA512 182cd5bf2242255bd0a9713e571ade0b6e7264f1b3f8d2737235b998f036ad98bc544d33f0f864642b09cbc64972dd03559d1c110d19ea5cb0669367d6a1e0ed

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigw6999.exe

MD5 dc2d8fdc8d3d46783ae2657058a75791
SHA1 84aeb242bf58ea8cb33f7edcbfde90a9ff9c26fe
SHA256 9bb8049f683d803d4aabac99b19741fdbb28b45c81bed35d666d9f2a08462b0d
SHA512 182cd5bf2242255bd0a9713e571ade0b6e7264f1b3f8d2737235b998f036ad98bc544d33f0f864642b09cbc64972dd03559d1c110d19ea5cb0669367d6a1e0ed

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it039265.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4472-147-0x0000000000650000-0x000000000065A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe

MD5 544d3ec4153b87860a314e032fda8170
SHA1 5fc6d3f97fa737ab59dd054e2087bf6d7fd990b6
SHA256 96fefcf961481f099453b1719e61cb0e6bccd52ec64ee49beca8883c991839b6
SHA512 cbfa328567999555a34ece31b60919d766fe82697eaf8263c3ae28a69114d8cf5e33a6f91f25c59593f7cda508340b2dad12d8d7a341c1cf0bb1208f26e91631

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp386537.exe

MD5 544d3ec4153b87860a314e032fda8170
SHA1 5fc6d3f97fa737ab59dd054e2087bf6d7fd990b6
SHA256 96fefcf961481f099453b1719e61cb0e6bccd52ec64ee49beca8883c991839b6
SHA512 cbfa328567999555a34ece31b60919d766fe82697eaf8263c3ae28a69114d8cf5e33a6f91f25c59593f7cda508340b2dad12d8d7a341c1cf0bb1208f26e91631

memory/2976-153-0x0000000002BD0000-0x0000000002C16000-memory.dmp

memory/2976-154-0x0000000007390000-0x0000000007934000-memory.dmp

memory/2976-155-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-156-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-158-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-160-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-162-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-164-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-166-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-168-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-170-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-172-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-174-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-176-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-180-0x0000000007380000-0x0000000007390000-memory.dmp

memory/2976-178-0x0000000007380000-0x0000000007390000-memory.dmp

memory/2976-179-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-182-0x0000000007380000-0x0000000007390000-memory.dmp

memory/2976-183-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-185-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-187-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-189-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-191-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-193-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-195-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-197-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-199-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-201-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-203-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-205-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-207-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-209-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-211-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-213-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-215-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-217-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-219-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-221-0x00000000072B0000-0x00000000072E5000-memory.dmp

memory/2976-950-0x0000000009DC0000-0x000000000A3D8000-memory.dmp

memory/2976-951-0x000000000A460000-0x000000000A472000-memory.dmp

memory/2976-952-0x000000000A480000-0x000000000A58A000-memory.dmp

memory/2976-953-0x000000000A5A0000-0x000000000A5DC000-memory.dmp

memory/2976-954-0x0000000007380000-0x0000000007390000-memory.dmp

memory/2976-955-0x000000000A8A0000-0x000000000A906000-memory.dmp

memory/2976-956-0x000000000AF70000-0x000000000B002000-memory.dmp

memory/2976-957-0x000000000B120000-0x000000000B170000-memory.dmp

memory/2976-958-0x000000000B180000-0x000000000B1F6000-memory.dmp

memory/2976-959-0x000000000B230000-0x000000000B24E000-memory.dmp

memory/2976-960-0x000000000B350000-0x000000000B512000-memory.dmp

memory/2976-961-0x000000000B520000-0x000000000BA4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr673288.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/4688-967-0x00000000008C0000-0x00000000008E8000-memory.dmp

memory/4688-968-0x00000000076E0000-0x00000000076F0000-memory.dmp