Malware Analysis Report

2025-08-10 23:10

Sample ID 230423-zsaffafh44
Target 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4
SHA256 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4

Threat Level: Known bad

The file 476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 20:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 20:58

Reported

2023-04-23 21:00

Platform

win10v2004-20230220-en

Max time kernel

83s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 932 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe
PID 932 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe
PID 932 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe
PID 676 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe
PID 676 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe
PID 676 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe
PID 676 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe
PID 676 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe
PID 932 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe
PID 932 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe
PID 932 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe

Processes

C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe

"C:\Users\Admin\AppData\Local\Temp\476ab31d2185ae4f8f9a29449acff8ba8265fcaafaea2e5a081f5bc1bff5b0c4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5096 -ip 5096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 209.197.3.8:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe

MD5 87ce86e77ccfa5a23782f779f2a1b8d9
SHA1 96aa608ce0bd3e9482f12f22ab98742d34fb1d89
SHA256 027ddbf37851f2b1a19aa26d56bc303e07e36ceb99eeaf2f2acb46ce0130b81f
SHA512 ef86daa457d865ef4c0491f64367fbc2b84392b7ac04778efc90d7eea5e932167bf20c3e6e84d17669106edb9fca80d0177193f7d6b68b479b703b2221f13b2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2748.exe

MD5 87ce86e77ccfa5a23782f779f2a1b8d9
SHA1 96aa608ce0bd3e9482f12f22ab98742d34fb1d89
SHA256 027ddbf37851f2b1a19aa26d56bc303e07e36ceb99eeaf2f2acb46ce0130b81f
SHA512 ef86daa457d865ef4c0491f64367fbc2b84392b7ac04778efc90d7eea5e932167bf20c3e6e84d17669106edb9fca80d0177193f7d6b68b479b703b2221f13b2c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it597204.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2684-147-0x0000000000A00000-0x0000000000A0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe

MD5 da856a20ca764dfefaeec22336150477
SHA1 ab72e8813c77a7214ab53c70a7327082aca69f3d
SHA256 8cb7a0df0d1e247209c974313f59aeb97f2f744bf092b94755dcb7922b203840
SHA512 54f7bc2cbcf753eea22e7f047bbb443d95556c17bbe527b4cf25ec1e7f906a10965c7f16c49071e3c61d0b043799870f921f225507b6c9d93422fff336ef4c98

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp802124.exe

MD5 da856a20ca764dfefaeec22336150477
SHA1 ab72e8813c77a7214ab53c70a7327082aca69f3d
SHA256 8cb7a0df0d1e247209c974313f59aeb97f2f744bf092b94755dcb7922b203840
SHA512 54f7bc2cbcf753eea22e7f047bbb443d95556c17bbe527b4cf25ec1e7f906a10965c7f16c49071e3c61d0b043799870f921f225507b6c9d93422fff336ef4c98

memory/5096-153-0x0000000002CF0000-0x0000000002D36000-memory.dmp

memory/5096-154-0x00000000071C0000-0x0000000007764000-memory.dmp

memory/5096-155-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/5096-156-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/5096-157-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/5096-158-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-159-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-161-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-163-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-165-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-167-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-169-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-171-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-173-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-175-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-177-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-179-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-181-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-183-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-185-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-187-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-189-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-191-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-193-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-195-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-197-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-199-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-201-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-203-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-205-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-207-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-209-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-211-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-213-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-215-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-217-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-219-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-221-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/5096-950-0x0000000009C70000-0x000000000A288000-memory.dmp

memory/5096-951-0x000000000A320000-0x000000000A332000-memory.dmp

memory/5096-952-0x000000000A340000-0x000000000A44A000-memory.dmp

memory/5096-953-0x000000000A460000-0x000000000A49C000-memory.dmp

memory/5096-954-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/5096-955-0x000000000A760000-0x000000000A7C6000-memory.dmp

memory/5096-956-0x000000000AE20000-0x000000000AEB2000-memory.dmp

memory/5096-957-0x000000000AFF0000-0x000000000B066000-memory.dmp

memory/5096-958-0x000000000B0D0000-0x000000000B292000-memory.dmp

memory/5096-959-0x000000000B2A0000-0x000000000B7CC000-memory.dmp

memory/5096-961-0x000000000B850000-0x000000000B86E000-memory.dmp

memory/5096-962-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/5096-963-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/5096-964-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/5096-965-0x00000000049C0000-0x0000000004A10000-memory.dmp

memory/5096-967-0x00000000071B0000-0x00000000071C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe

MD5 8c80b06d843bd6a7599a5be2075d9a55
SHA1 caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256 e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512 cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr766074.exe

MD5 8c80b06d843bd6a7599a5be2075d9a55
SHA1 caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256 e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512 cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

memory/3104-973-0x0000000000490000-0x00000000004B8000-memory.dmp

memory/3104-974-0x0000000007250000-0x0000000007260000-memory.dmp