Malware Analysis Report

2025-08-05 17:20

Sample ID 230423-3x9b4sgf58
Target a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690
SHA256 a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690

Threat Level: Known bad

The file a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:54

Reported

2023-04-23 23:57

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe
PID 1176 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe
PID 1176 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe
PID 944 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe
PID 944 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe
PID 944 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe
PID 944 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe
PID 944 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe
PID 944 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe
PID 1176 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe
PID 1176 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe
PID 1176 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe

"C:\Users\Admin\AppData\Local\Temp\a304d9e2cccefd42a263dbbadaefa1db1e97862bd4bd7cde6c57f20ccb78b690.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2316 -ip 2316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1328

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe

Network

Country Destination Domain Proto
NL 8.238.177.126:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 52.152.110.14:443 tcp
US 52.168.112.66:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
NL 8.238.177.126:80 tcp
NL 8.238.177.126:80 tcp
NL 8.238.177.126:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe

MD5 07ac68f2be3aab9bb071d7b907d39379
SHA1 0654f0693f18f1f129a40ec0309bd86cf744c17c
SHA256 48038db3ecb15e2c93a574bb9795e616d973de200cd1e6fad04d89b1c0a227d0
SHA512 8abea60cbd4c7f2457d9525eb39f13ad1e7a08d2d4ecb3d01bf622f173e00a6344add195cb6bc38c0d83ae8e52fb2ae8af4871148492cc0b0ed717adf611d407

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un405259.exe

MD5 07ac68f2be3aab9bb071d7b907d39379
SHA1 0654f0693f18f1f129a40ec0309bd86cf744c17c
SHA256 48038db3ecb15e2c93a574bb9795e616d973de200cd1e6fad04d89b1c0a227d0
SHA512 8abea60cbd4c7f2457d9525eb39f13ad1e7a08d2d4ecb3d01bf622f173e00a6344add195cb6bc38c0d83ae8e52fb2ae8af4871148492cc0b0ed717adf611d407

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe

MD5 e7f1771bf22f743bc715dde7cc81925b
SHA1 cf3e7b1ce49d5a083b886dc271e340aa93c73081
SHA256 19ebd4dc58e6cf02b2db94723bffc0585b751466fbf424e59b9117d1fd142d9f
SHA512 c1dfe69f70ad7f1678cf3a62cf15b3ad63afcd4fdde10ecbde54dd09b97cf41115a1f2418f80c2bc746b71d5adb3c097072023ac29b2c5bcfc4b94f4445d3372

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr902841.exe

MD5 e7f1771bf22f743bc715dde7cc81925b
SHA1 cf3e7b1ce49d5a083b886dc271e340aa93c73081
SHA256 19ebd4dc58e6cf02b2db94723bffc0585b751466fbf424e59b9117d1fd142d9f
SHA512 c1dfe69f70ad7f1678cf3a62cf15b3ad63afcd4fdde10ecbde54dd09b97cf41115a1f2418f80c2bc746b71d5adb3c097072023ac29b2c5bcfc4b94f4445d3372

memory/2316-148-0x0000000002C90000-0x0000000002CBD000-memory.dmp

memory/2316-149-0x00000000071A0000-0x0000000007744000-memory.dmp

memory/2316-150-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-151-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-153-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-155-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-157-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-159-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-161-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-163-0x0000000007190000-0x00000000071A0000-memory.dmp

memory/2316-165-0x0000000007190000-0x00000000071A0000-memory.dmp

memory/2316-164-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-167-0x0000000007190000-0x00000000071A0000-memory.dmp

memory/2316-168-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-170-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-174-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-172-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-176-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-178-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-180-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2316-181-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2316-183-0x0000000007190000-0x00000000071A0000-memory.dmp

memory/2316-184-0x0000000007190000-0x00000000071A0000-memory.dmp

memory/2316-185-0x0000000007190000-0x00000000071A0000-memory.dmp

memory/2316-186-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe

MD5 46a77d714dde37888f67478de5da8c39
SHA1 9703e7463650722f0480fd4f325166fb87084288
SHA256 cdb24c6234bfe795c753638e1daaf619550a8b80dbb791a9876cddfb84ac5dfb
SHA512 d4d4c84d1bfdf57a8c0aa95c3936f62e4cc631fef6efc5695ccbf3e1e838a3aff7fb0f18e247ba87f158d8235d0b74004b48d540b70b62e5a35a16497bd1768f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu660878.exe

MD5 46a77d714dde37888f67478de5da8c39
SHA1 9703e7463650722f0480fd4f325166fb87084288
SHA256 cdb24c6234bfe795c753638e1daaf619550a8b80dbb791a9876cddfb84ac5dfb
SHA512 d4d4c84d1bfdf57a8c0aa95c3936f62e4cc631fef6efc5695ccbf3e1e838a3aff7fb0f18e247ba87f158d8235d0b74004b48d540b70b62e5a35a16497bd1768f

memory/1764-191-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-192-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-194-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-196-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-199-0x0000000002D00000-0x0000000002D46000-memory.dmp

memory/1764-198-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-201-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/1764-205-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/1764-203-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/1764-202-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-206-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-208-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-210-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-212-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-214-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-216-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-218-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-220-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-222-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-224-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-226-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-228-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/1764-987-0x0000000009D30000-0x000000000A348000-memory.dmp

memory/1764-988-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1764-989-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/1764-990-0x000000000A460000-0x000000000A49C000-memory.dmp

memory/1764-991-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/1764-992-0x000000000A760000-0x000000000A7C6000-memory.dmp

memory/1764-993-0x000000000AE20000-0x000000000AEB2000-memory.dmp

memory/1764-994-0x000000000AEE0000-0x000000000AF30000-memory.dmp

memory/1764-995-0x000000000AF40000-0x000000000AFB6000-memory.dmp

memory/1764-996-0x000000000B0F0000-0x000000000B10E000-memory.dmp

memory/1764-997-0x000000000B210000-0x000000000B3D2000-memory.dmp

memory/1764-998-0x000000000B3E0000-0x000000000B90C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si048248.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/2164-1005-0x00000000008B0000-0x00000000008D8000-memory.dmp

memory/2164-1006-0x00000000079F0000-0x0000000007A00000-memory.dmp