c52ace76d94d2c7687a8c4bd529f86c343c05cc388df75432736b1c384f8677e

General

Target

file.exe
Size

3.8MB
MD5

2e14c53a16fd3117aa1e940c69679c23
SHA1

7768c676e75565d2c09505bab2f765bc583c1170
SHA256

c52ace76d94d2c7687a8c4bd529f86c343c05cc388df75432736b1c384f8677e
SHA512

a4477f135037cf94d18e718d16746a875b85ad4fa3bdaa397f2d00198c14b4ff945cc9a3435eecb5408b2c575ccb207670c45333121d0dd935158e9ed2ade263

Score

10^/10

persistence spyware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe\""	file.exe

Drops startup file 2 IoCs

Processes:

file.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	file.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	file.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\file.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	file.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 checkip.dyndns.org
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

file.exe

pid process

4032 file.exe
4032 file.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

file.exe

pid process

4032 file.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 4032 file.exe

flow	ioc
13	checkip.dyndns.org

pid	process
4032	file.exe
4032	file.exe

pid	process
4032	file.exe

description	pid	process
Token: SeDebugPrivilege	4032	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4032-2-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/4032-3-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4032-5-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4032-6-0x0000000006370000-0x0000000006419000-memory.dmp

Filesize
676KB

Download
memory/4032-7-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/4032-8-0x00000000065A0000-0x000000000663D000-memory.dmp

Filesize
628KB

Download
memory/4032-9-0x0000000006640000-0x00000000066C9000-memory.dmp

Filesize
548KB

Download
memory/4032-10-0x0000000006750000-0x00000000067CE000-memory.dmp

Filesize
504KB

Download
memory/4032-11-0x00000000067D0000-0x0000000006842000-memory.dmp

Filesize
456KB

Download
memory/4032-12-0x00000000066D0000-0x0000000006736000-memory.dmp

Filesize
408KB

Download
memory/4032-13-0x0000000006850000-0x00000000068AA000-memory.dmp

Filesize
360KB

Download
memory/4032-14-0x0000000005280000-0x00000000052CF000-memory.dmp

Filesize
316KB

Download
memory/4032-15-0x00000000068B0000-0x00000000068F4000-memory.dmp

Filesize
272KB

Download
memory/4032-16-0x0000000006900000-0x0000000006939000-memory.dmp

Filesize
228KB

Download
memory/4032-17-0x0000000006940000-0x000000000696E000-memory.dmp

Filesize
184KB

Download
memory/4032-18-0x0000000006A10000-0x0000000006A11000-memory.dmp

Filesize
4KB

Download
memory/4032-19-0x00000000088E0000-0x00000000088E1000-memory.dmp

Filesize
4KB

Download
memory/4032-20-0x00000000089A0000-0x00000000089A1000-memory.dmp

Filesize
4KB

Download
memory/4032-21-0x00000000064A0000-0x00000000064A5000-memory.dmp

Filesize
20KB

Download
memory/4032-22-0x00000000094B0000-0x00000000094B1000-memory.dmp

Filesize
4KB

Download
memory/4032-23-0x0000000009540000-0x0000000009541000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads