Malware Analysis Report

2025-08-10 23:10

Sample ID 230423-zxzk5afh65
Target bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13
SHA256 bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13

Threat Level: Known bad

The file bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Launches sc.exe

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 21:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 21:06

Reported

2023-04-23 21:09

Platform

win10v2004-20230220-en

Max time kernel

127s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe N/A

Checks installed software on the system

discovery

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp507224.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr349908.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe
PID 4828 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe
PID 4828 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe
PID 4344 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe
PID 4344 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe
PID 4344 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp507224.exe
PID 4344 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp507224.exe
PID 4344 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp507224.exe
PID 4828 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr349908.exe
PID 4828 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr349908.exe
PID 4828 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr349908.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13.exe

"C:\Users\Admin\AppData\Local\Temp\bd6179ef1c5409ba4e708bc28d871d7e0870588f908b9aeb7489238098c63f13.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp507224.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp507224.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1336

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr349908.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr349908.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe

MD5 ed51bd8586405e030c4405ce990ed597
SHA1 84cff63a7b27f9a4916b2a6cf46489395e48b73a
SHA256 746c85d0c09bc1a73acd71ecedf434e7bb051a1b2341dc6f5528d4ad0f7003b1
SHA512 37a6b3fff36ef5875671881e155b22d3b6a22580cb4907c004086a041b15c134a918bcb2f04ff51994997c9880e1e8107ed067a77229cc32e92493557bbe0531

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYM3635.exe

MD5 ed51bd8586405e030c4405ce990ed597
SHA1 84cff63a7b27f9a4916b2a6cf46489395e48b73a
SHA256 746c85d0c09bc1a73acd71ecedf434e7bb051a1b2341dc6f5528d4ad0f7003b1
SHA512 37a6b3fff36ef5875671881e155b22d3b6a22580cb4907c004086a041b15c134a918bcb2f04ff51994997c9880e1e8107ed067a77229cc32e92493557bbe0531

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it284374.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1092-147-0x0000000000A10000-0x0000000000A1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp507224.exe

MD5 850f525ecb2d9ea52cb706e539951562
SHA1 5e74c7cfcb5afa19ce2c13c387ae2f7b0cc02d8f
SHA256 f1858ddaf804b89311f16f8be59c8c64fe3f6e64449014333f3fbfc63d9a1fd9
SHA512 f4f211f9487ac0a85c60dcf954b7ae7f19d7ced36543b632fc7d6110beb39687df3716bf1ec797588505727f16947be6dde4e5e23d3a6f2756f63aa6f76eacf2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp507224.exe

MD5 850f525ecb2d9ea52cb706e539951562
SHA1 5e74c7cfcb5afa19ce2c13c387ae2f7b0cc02d8f
SHA256 f1858ddaf804b89311f16f8be59c8c64fe3f6e64449014333f3fbfc63d9a1fd9
SHA512 f4f211f9487ac0a85c60dcf954b7ae7f19d7ced36543b632fc7d6110beb39687df3716bf1ec797588505727f16947be6dde4e5e23d3a6f2756f63aa6f76eacf2

memory/2040-153-0x0000000002BD0000-0x0000000002C16000-memory.dmp

memory/2040-155-0x0000000007410000-0x0000000007420000-memory.dmp

memory/2040-154-0x0000000007410000-0x0000000007420000-memory.dmp

memory/2040-156-0x0000000007420000-0x00000000079C4000-memory.dmp

memory/2040-157-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-158-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-160-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-162-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-164-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-166-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-168-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-170-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-172-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-174-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-176-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-178-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-180-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-182-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-184-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-186-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-188-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-190-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-192-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-194-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-196-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-198-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-200-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-202-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-204-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-206-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-210-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-212-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-208-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-214-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-216-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-218-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-220-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/2040-949-0x0000000009D50000-0x000000000A368000-memory.dmp

memory/2040-950-0x00000000073C0000-0x00000000073D2000-memory.dmp

memory/2040-951-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/2040-952-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/2040-953-0x0000000007410000-0x0000000007420000-memory.dmp

memory/2040-954-0x000000000A760000-0x000000000A7C6000-memory.dmp

memory/2040-955-0x000000000AF30000-0x000000000AFC2000-memory.dmp

memory/2040-956-0x000000000AFF0000-0x000000000B066000-memory.dmp

memory/2040-957-0x000000000B0A0000-0x000000000B0BE000-memory.dmp

memory/2040-958-0x000000000B1C0000-0x000000000B382000-memory.dmp

memory/2040-959-0x000000000B390000-0x000000000B8BC000-memory.dmp

memory/2040-960-0x0000000004780000-0x00000000047D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr349908.exe

MD5 8c80b06d843bd6a7599a5be2075d9a55
SHA1 caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256 e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512 cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr349908.exe

MD5 8c80b06d843bd6a7599a5be2075d9a55
SHA1 caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256 e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512 cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

memory/3668-967-0x0000000000330000-0x0000000000358000-memory.dmp

memory/3668-968-0x0000000007160000-0x0000000007170000-memory.dmp