Malware Analysis Report

2025-08-10 23:10

Sample ID 230423-zss8jsfh46
Target 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e
SHA256 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e

Threat Level: Known bad

The file 0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 20:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 20:59

Reported

2023-04-23 21:01

Platform

win10-20230220-en

Max time kernel

51s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe
PID 1716 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe
PID 1716 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe
PID 4108 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe
PID 4108 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe
PID 4108 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe
PID 4108 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe
PID 4108 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe
PID 4108 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe
PID 1716 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe
PID 1716 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe
PID 1716 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe

"C:\Users\Admin\AppData\Local\Temp\0e5ae1f3b6ba0e9d2cbed22b4dab18113b20e2ebf5a364200cc9143e66dfb41e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe

Network

Country Destination Domain Proto
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 52.182.143.211:443 tcp
US 67.24.33.254:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe

MD5 a638f4ecc80d3c3b92c86ba0fe768602
SHA1 5f6b94c1ec3cbdf361860bc1c7f8e17b0ba9a1ed
SHA256 93878c738488d0bb9e7df79ad32e34c4e142f80ff7fb2e9883e978ce99406816
SHA512 09c7482fcde34f444d0539cea47edd1e4d479603d74852767a025af4daa89950a9cebbc98130d113feb052b1d5dc59bfabc49e9300269d81a42dd2f54a0db63e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798185.exe

MD5 a638f4ecc80d3c3b92c86ba0fe768602
SHA1 5f6b94c1ec3cbdf361860bc1c7f8e17b0ba9a1ed
SHA256 93878c738488d0bb9e7df79ad32e34c4e142f80ff7fb2e9883e978ce99406816
SHA512 09c7482fcde34f444d0539cea47edd1e4d479603d74852767a025af4daa89950a9cebbc98130d113feb052b1d5dc59bfabc49e9300269d81a42dd2f54a0db63e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe

MD5 19c5b4b2753589f40613999fb7bce238
SHA1 ffd552ee9887c7edaf897780060a9bdb0f03f78c
SHA256 9dcd824b9ecb72731a22d20d41ce2d17aebe60384d7efb3e52ab026debae02a5
SHA512 d9f2e52c7f869c54378332a36573757bcf0058f68c38735aa7241211baf50e01dad0e987454a529ebc99d40eee3c86b780117cb62c26d78db8eefcb8bc692723

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006349.exe

MD5 19c5b4b2753589f40613999fb7bce238
SHA1 ffd552ee9887c7edaf897780060a9bdb0f03f78c
SHA256 9dcd824b9ecb72731a22d20d41ce2d17aebe60384d7efb3e52ab026debae02a5
SHA512 d9f2e52c7f869c54378332a36573757bcf0058f68c38735aa7241211baf50e01dad0e987454a529ebc99d40eee3c86b780117cb62c26d78db8eefcb8bc692723

memory/2072-131-0x0000000002DC0000-0x0000000002DDA000-memory.dmp

memory/2072-132-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/2072-133-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/2072-134-0x00000000071C0000-0x00000000076BE000-memory.dmp

memory/2072-135-0x0000000004D90000-0x0000000004DA8000-memory.dmp

memory/2072-136-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-137-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-139-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-141-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-143-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-145-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-147-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-149-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-151-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-153-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-155-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-157-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-159-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-161-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-163-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/2072-164-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/2072-165-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/2072-166-0x0000000000400000-0x0000000002BAE000-memory.dmp

memory/2072-167-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/2072-170-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/2072-169-0x0000000000400000-0x0000000002BAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe

MD5 751bcd0f77072da780e538b4e7a905e6
SHA1 d94332ff97d94a01b70de2edd53076bf2d2c22d6
SHA256 67525e6c216826ddf8bf65ba2833c8fea0481fe345733551ce59a389c190dcf4
SHA512 8e75caf82d1a6000882c63b7fcae57c1d9e883560d04eb9a60b6a39f019203006b5cda350bf7ef2de3a33a636afa9152a662858998b1799c27862c4257f324d9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu543825.exe

MD5 751bcd0f77072da780e538b4e7a905e6
SHA1 d94332ff97d94a01b70de2edd53076bf2d2c22d6
SHA256 67525e6c216826ddf8bf65ba2833c8fea0481fe345733551ce59a389c190dcf4
SHA512 8e75caf82d1a6000882c63b7fcae57c1d9e883560d04eb9a60b6a39f019203006b5cda350bf7ef2de3a33a636afa9152a662858998b1799c27862c4257f324d9

memory/3736-175-0x0000000004B80000-0x0000000004BBC000-memory.dmp

memory/3736-176-0x0000000004D40000-0x0000000004D7A000-memory.dmp

memory/3736-178-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-177-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-180-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-182-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-184-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-186-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-188-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-190-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-192-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-194-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-196-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-198-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-200-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-202-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-204-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-208-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-206-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-210-0x0000000004D40000-0x0000000004D75000-memory.dmp

memory/3736-350-0x0000000002F40000-0x0000000002F86000-memory.dmp

memory/3736-354-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/3736-352-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/3736-355-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/3736-973-0x000000000A290000-0x000000000A896000-memory.dmp

memory/3736-974-0x00000000072A0000-0x00000000072B2000-memory.dmp

memory/3736-975-0x0000000009C80000-0x0000000009D8A000-memory.dmp

memory/3736-976-0x0000000009D90000-0x0000000009DCE000-memory.dmp

memory/3736-978-0x0000000009DD0000-0x0000000009E1B000-memory.dmp

memory/3736-977-0x00000000072F0000-0x0000000007300000-memory.dmp

memory/3736-979-0x000000000A060000-0x000000000A0C6000-memory.dmp

memory/3736-980-0x000000000AD30000-0x000000000ADC2000-memory.dmp

memory/3736-981-0x000000000ADD0000-0x000000000AE20000-memory.dmp

memory/3736-982-0x000000000AE40000-0x000000000AEB6000-memory.dmp

memory/3736-983-0x000000000AFE0000-0x000000000AFFE000-memory.dmp

memory/3736-984-0x000000000B0B0000-0x000000000B272000-memory.dmp

memory/3736-985-0x000000000B280000-0x000000000B7AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe

MD5 8c80b06d843bd6a7599a5be2075d9a55
SHA1 caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256 e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512 cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si115054.exe

MD5 8c80b06d843bd6a7599a5be2075d9a55
SHA1 caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256 e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512 cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

memory/3236-992-0x0000000000900000-0x0000000000928000-memory.dmp

memory/3236-993-0x0000000007680000-0x00000000076CB000-memory.dmp

memory/3236-994-0x00000000079C0000-0x00000000079D0000-memory.dmp