e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468

General

Target

e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
Size

5.4MB
MD5

583887cee4177d59e84674f832cd504f
SHA1

15706ad30a48d0bc66a2b91367c0d4eeb877c375
SHA256

e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468
SHA512

844cba185a146883c75d14894ec74dd912a38c499df6250d88ce1385f554170a13c0feb1071205a9499777130b440e277663e2e11a0da1fe1cfab90ef86b3175

Score

9^/10

evasion spyware trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ServiceHost packer 12 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1264-17-0x000000000043FF20-mapping.dmp	servicehost
behavioral2/memory/1264-16-0x000000000043FF20-mapping.dmp	servicehost
behavioral2/memory/1264-19-0x000000000043FF20-mapping.dmp	servicehost
behavioral2/memory/1264-18-0x000000000043FF20-mapping.dmp	servicehost
behavioral2/memory/1264-20-0x000000000043FF20-mapping.dmp	servicehost
behavioral2/memory/1264-21-0x000000000043FF20-mapping.dmp	servicehost
behavioral2/memory/1264-22-0x000000000043FF20-mapping.dmp	servicehost
behavioral2/memory/1264-23-0x000000000043FF20-mapping.dmp	servicehost
behavioral2/memory/1264-24-0x000000000043FF20-mapping.dmp	servicehost
behavioral2/memory/1264-25-0x000000000043FF20-mapping.dmp	servicehost
behavioral2/memory/1264-27-0x000000000043FF20-mapping.dmp	servicehost
behavioral2/memory/1264-26-0x000000000043FF20-mapping.dmp	servicehost

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

Loads dropped DLL 3 IoCs

Processes:

e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exee52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

pid	process
3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
1264	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

description	pid	process	target process
PID 3576 set thread context of 1264	3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1192 1264 WerFault.exe e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

pid	pid_target	process	target process
1192	1264	WerFault.exe	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exeWerFault.exe

pid	process
3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
Token: SeRestorePrivilege	1192	WerFault.exe
Token: SeBackupPrivilege	1192	WerFault.exe
Token: SeDebugPrivilege	1192	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

description	pid	process	target process
PID 3576 wrote to memory of 1264	3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
PID 3576 wrote to memory of 1264	3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
PID 3576 wrote to memory of 1264	3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
PID 3576 wrote to memory of 1264	3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
PID 3576 wrote to memory of 1264	3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
PID 3576 wrote to memory of 1264	3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
PID 3576 wrote to memory of 1264	3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
PID 3576 wrote to memory of 1264	3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
PID 3576 wrote to memory of 1264	3576	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe	e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe

C:\Users\Admin\AppData\Local\Temp\e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
"C:\Users\Admin\AppData\Local\Temp\e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Temp\e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe
  "C:\Users\Admin\AppData\Local\Temp\e52a74fb629774299e5a859574746b2fc1041f1b1282c5fa486a824551098468.exe"
  2⤵
  - Loads dropped DLL
  PID:1264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1892
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dll

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\AppData\Local\Temp\d5826601-c1fb-4502-b6a6-7bd4388c1d4b\Xxl.dll

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/1192-29-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1192-14-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/1192-13-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/1264-20-0x000000000043FF20-mapping.dmp

Download
memory/1264-24-0x000000000043FF20-mapping.dmp

Download
memory/1264-9-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1264-10-0x000000000043FF20-mapping.dmp

Download
memory/1264-11-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1264-26-0x000000000043FF20-mapping.dmp

Download
memory/1264-27-0x000000000043FF20-mapping.dmp

Download
memory/1264-25-0x000000000043FF20-mapping.dmp

Download
memory/1264-17-0x000000000043FF20-mapping.dmp

Download
memory/1264-16-0x000000000043FF20-mapping.dmp

Download
memory/1264-19-0x000000000043FF20-mapping.dmp

Download
memory/1264-18-0x000000000043FF20-mapping.dmp

Download
memory/1264-23-0x000000000043FF20-mapping.dmp

Download
memory/1264-21-0x000000000043FF20-mapping.dmp

Download
memory/1264-22-0x000000000043FF20-mapping.dmp

Download
memory/3576-0-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/3576-7-0x0000000000A30000-0x0000000000A46000-memory.dmp

Filesize
88KB

Download
memory/3576-3-0x00000000053B0000-0x00000000053E6000-memory.dmp

Filesize
216KB

Download
memory/3576-5-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/3576-6-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/3576-1-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads