Malware Analysis Report

2025-08-05 17:20

Sample ID 230423-3zfsksgf63
Target bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8
SHA256 bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8

Threat Level: Known bad

The file bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:56

Reported

2023-04-23 23:59

Platform

win10v2004-20230220-en

Max time kernel

114s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe
PID 1784 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe
PID 1784 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe
PID 1356 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe
PID 1356 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe
PID 1356 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe
PID 1356 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe
PID 1356 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe
PID 1356 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe
PID 1784 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe
PID 1784 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe
PID 1784 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe

"C:\Users\Admin\AppData\Local\Temp\bbe57660dae3dc21311d8711f28a8ebebe5b1878c61fcc6b610ebba086a14ce8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1740 -ip 1740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1956

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 40.77.2.164:443 tcp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 8.238.179.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 13.107.42.16:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe

MD5 2de59ca0f50cbc460923e6626754b8ee
SHA1 4e217d61ef0975ce359aa9ec461429b5e8e4d71d
SHA256 7e5896cebbebf4fd6df21cead501486c2cd925e9c1a3983e61fe17a6d8e2367a
SHA512 7af3a7ffd41837a4c368f7ccd4bb02ea2db1ad1cc3d971bcf693cef3d6ca56046f47fc7209bfe675ead6793cdfd628d8b1464e074e0cb06b4b0fa4c3c446744f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un751405.exe

MD5 2de59ca0f50cbc460923e6626754b8ee
SHA1 4e217d61ef0975ce359aa9ec461429b5e8e4d71d
SHA256 7e5896cebbebf4fd6df21cead501486c2cd925e9c1a3983e61fe17a6d8e2367a
SHA512 7af3a7ffd41837a4c368f7ccd4bb02ea2db1ad1cc3d971bcf693cef3d6ca56046f47fc7209bfe675ead6793cdfd628d8b1464e074e0cb06b4b0fa4c3c446744f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18845640.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/3692-147-0x0000000000BB0000-0x0000000000BD8000-memory.dmp

memory/3692-148-0x0000000007E50000-0x0000000008468000-memory.dmp

memory/3692-149-0x00000000078E0000-0x00000000078F2000-memory.dmp

memory/3692-150-0x0000000007A10000-0x0000000007B1A000-memory.dmp

memory/3692-151-0x0000000007980000-0x00000000079BC000-memory.dmp

memory/3692-152-0x0000000007930000-0x0000000007940000-memory.dmp

memory/3692-153-0x0000000007C80000-0x0000000007CE6000-memory.dmp

memory/3692-154-0x0000000008820000-0x00000000088B2000-memory.dmp

memory/3692-155-0x0000000008E70000-0x0000000009414000-memory.dmp

memory/3692-156-0x0000000008910000-0x0000000008960000-memory.dmp

memory/3692-157-0x0000000008A40000-0x0000000008AB6000-memory.dmp

memory/3692-158-0x0000000009420000-0x00000000095E2000-memory.dmp

memory/3692-159-0x0000000009B20000-0x000000000A04C000-memory.dmp

memory/3692-160-0x0000000008C20000-0x0000000008C3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe

MD5 45421b5d132aa2e4d872fb2a5998ceae
SHA1 7fffcb816537a873d1c1b3a0f7eea721320c8e10
SHA256 be18081f0f5777fdfec0e79812241f55a660e8619ce307c01327ffe23273f544
SHA512 bdf382544fbe301fbd08ebf46b97e531d23bd38bc48e118da1ef9aafd97d54576c1e94129b3efca3740c601d787446f82dfe3fa8cfad496a7b4a1ee5ca6a577d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419578.exe

MD5 45421b5d132aa2e4d872fb2a5998ceae
SHA1 7fffcb816537a873d1c1b3a0f7eea721320c8e10
SHA256 be18081f0f5777fdfec0e79812241f55a660e8619ce307c01327ffe23273f544
SHA512 bdf382544fbe301fbd08ebf46b97e531d23bd38bc48e118da1ef9aafd97d54576c1e94129b3efca3740c601d787446f82dfe3fa8cfad496a7b4a1ee5ca6a577d

memory/988-166-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-167-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-169-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-171-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-173-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-175-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-177-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-179-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-181-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-183-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-185-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-187-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-189-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-191-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-193-0x0000000007110000-0x0000000007122000-memory.dmp

memory/988-194-0x0000000002C80000-0x0000000002CAD000-memory.dmp

memory/988-195-0x0000000007270000-0x0000000007280000-memory.dmp

memory/988-196-0x0000000007270000-0x0000000007280000-memory.dmp

memory/988-197-0x0000000007270000-0x0000000007280000-memory.dmp

memory/988-198-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/988-200-0x0000000007270000-0x0000000007280000-memory.dmp

memory/988-201-0x0000000007270000-0x0000000007280000-memory.dmp

memory/988-202-0x0000000007270000-0x0000000007280000-memory.dmp

memory/988-203-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe

MD5 d6c93a35e3df5f1c7142e88e67e5557e
SHA1 5cdab3d894ce6d6966603de2fde1be9bae438593
SHA256 6ee570e0738a36142496c6b27dd66f8986b413961da7093f82d095fe636759a8
SHA512 370e757a3d92dbd60d1bdd2b0d67b7bd8f27d16addc9d465864c2857bcb804de911f89e6c2ed8bf21916ff296acd318f6a2d227d56f8b9e45d3a80f8affeb3ef

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu279112.exe

MD5 d6c93a35e3df5f1c7142e88e67e5557e
SHA1 5cdab3d894ce6d6966603de2fde1be9bae438593
SHA256 6ee570e0738a36142496c6b27dd66f8986b413961da7093f82d095fe636759a8
SHA512 370e757a3d92dbd60d1bdd2b0d67b7bd8f27d16addc9d465864c2857bcb804de911f89e6c2ed8bf21916ff296acd318f6a2d227d56f8b9e45d3a80f8affeb3ef

memory/1740-208-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-209-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-211-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-213-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-215-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-217-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-219-0x0000000004550000-0x0000000004596000-memory.dmp

memory/1740-221-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/1740-223-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/1740-225-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-224-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/1740-220-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-227-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-229-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-231-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-233-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-235-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-237-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-241-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-239-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-243-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-245-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/1740-1004-0x00000000071C0000-0x00000000071D0000-memory.dmp