Malware Analysis Report

2025-08-05 17:20

Sample ID 230423-3ymjqsab9y
Target 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da
SHA256 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da

Threat Level: Known bad

The file 68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:55

Reported

2023-04-23 23:57

Platform

win10v2004-20230220-en

Max time kernel

60s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe
PID 1280 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe
PID 1280 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe
PID 1256 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe
PID 1256 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe
PID 1256 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe
PID 1256 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe
PID 1256 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe
PID 1256 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe
PID 1280 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe
PID 1280 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe
PID 1280 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe

"C:\Users\Admin\AppData\Local\Temp\68cba62bf8a574604293cc1aec48a4414e7fe409deb433370f19fb640bc963da.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4208 -ip 4208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1096

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 40.77.2.164:443 tcp
US 13.89.179.9:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe

MD5 23c3841492808f34af61075697a52720
SHA1 cd3a2168785bf5d0840f1fcf747fcb2c3bcfb48b
SHA256 f9d07a65aea8fc1169b2b259fc798a05b2f516cb5fee3cb7404c33912725ff52
SHA512 2f12de2882acf0f872255ad8aaa4c9b37584e474215612b0259f138a880c620c5d98678e07dd8622fa8770b195aa515e7028ffab42c3805b12f0af66e3bc7346

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un796873.exe

MD5 23c3841492808f34af61075697a52720
SHA1 cd3a2168785bf5d0840f1fcf747fcb2c3bcfb48b
SHA256 f9d07a65aea8fc1169b2b259fc798a05b2f516cb5fee3cb7404c33912725ff52
SHA512 2f12de2882acf0f872255ad8aaa4c9b37584e474215612b0259f138a880c620c5d98678e07dd8622fa8770b195aa515e7028ffab42c3805b12f0af66e3bc7346

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe

MD5 fdda9bb2d78bdb9e39696ec3e1d62e70
SHA1 35fb3fb311dd672a73ec43363b8c4d1ae1e64e6f
SHA256 8540456765fa1ab1bc01c7fadeb332f3ac47dcad6cd391288bb3d4eedab4511f
SHA512 0e8fea018b80b160548ce92dd27d1dc463f66cfd39900e8a596fa8fc966b8f1f500942f341d3d6fcfc969f811af30c1142238b565c2fa29408f97baf23de9f75

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742894.exe

MD5 fdda9bb2d78bdb9e39696ec3e1d62e70
SHA1 35fb3fb311dd672a73ec43363b8c4d1ae1e64e6f
SHA256 8540456765fa1ab1bc01c7fadeb332f3ac47dcad6cd391288bb3d4eedab4511f
SHA512 0e8fea018b80b160548ce92dd27d1dc463f66cfd39900e8a596fa8fc966b8f1f500942f341d3d6fcfc969f811af30c1142238b565c2fa29408f97baf23de9f75

memory/4208-148-0x0000000007190000-0x0000000007734000-memory.dmp

memory/4208-149-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

memory/4208-150-0x0000000007180000-0x0000000007190000-memory.dmp

memory/4208-151-0x0000000007180000-0x0000000007190000-memory.dmp

memory/4208-152-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-153-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-155-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-157-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-159-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-161-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-163-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-165-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-167-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-169-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-171-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-173-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-175-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-177-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-179-0x0000000007110000-0x0000000007122000-memory.dmp

memory/4208-180-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/4208-181-0x0000000007180000-0x0000000007190000-memory.dmp

memory/4208-182-0x0000000007180000-0x0000000007190000-memory.dmp

memory/4208-183-0x0000000007180000-0x0000000007190000-memory.dmp

memory/4208-185-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe

MD5 77c68fa4322227d8f24bdbd71455406a
SHA1 e02819914c0df8b2d9058efcc452e23ded5cfdb6
SHA256 b1f969aceade41735fed2bf30cc138b0b7ac912075300b08ef4fc4657b2beb79
SHA512 a331842994d107ce8e8281353b383bd02b7ec6eb7bb3b48e1f617f13c1181a22d843a2ba77ed83a24b290914c2e924cccacecf5e7ce40a95bb13493dbf592031

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu216446.exe

MD5 77c68fa4322227d8f24bdbd71455406a
SHA1 e02819914c0df8b2d9058efcc452e23ded5cfdb6
SHA256 b1f969aceade41735fed2bf30cc138b0b7ac912075300b08ef4fc4657b2beb79
SHA512 a331842994d107ce8e8281353b383bd02b7ec6eb7bb3b48e1f617f13c1181a22d843a2ba77ed83a24b290914c2e924cccacecf5e7ce40a95bb13493dbf592031

memory/4268-191-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-190-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-193-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-195-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-197-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-199-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-201-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-203-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-205-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-207-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-209-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-211-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-213-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-215-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-217-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-219-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-221-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-223-0x0000000004D60000-0x0000000004D95000-memory.dmp

memory/4268-385-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

memory/4268-387-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/4268-388-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/4268-390-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/4268-986-0x0000000009C70000-0x000000000A288000-memory.dmp

memory/4268-987-0x000000000A320000-0x000000000A332000-memory.dmp

memory/4268-988-0x000000000A340000-0x000000000A44A000-memory.dmp

memory/4268-989-0x000000000A460000-0x000000000A49C000-memory.dmp

memory/4268-990-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/4268-991-0x000000000A760000-0x000000000A7C6000-memory.dmp

memory/4268-992-0x000000000AE30000-0x000000000AEC2000-memory.dmp

memory/4268-993-0x000000000B020000-0x000000000B070000-memory.dmp

memory/4268-994-0x000000000B080000-0x000000000B0F6000-memory.dmp

memory/4268-995-0x000000000B130000-0x000000000B14E000-memory.dmp

memory/4268-996-0x000000000B350000-0x000000000B512000-memory.dmp

memory/4268-997-0x000000000B520000-0x000000000BA4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si203860.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/4768-1004-0x00000000007F0000-0x0000000000818000-memory.dmp

memory/4768-1005-0x0000000007910000-0x0000000007920000-memory.dmp