09bbc753aa0ac277e42418b81587e1362c5dea6798432b3f589f0dae187d7953

General

Target

0a90fcb89e5c36783d14359dfd0d2462.exe
Size

2.9MB
MD5

0a90fcb89e5c36783d14359dfd0d2462
SHA1

2ff0e1a4c591dfc6182c4f58209ae02210abff86
SHA256

09bbc753aa0ac277e42418b81587e1362c5dea6798432b3f589f0dae187d7953
SHA512

bf043ddd6c6c4ac363d4f62399be6eb396f6f8ece8310cd4164eaf7109a62c5e44b7f2a3e1eb75f47f8c11942dc7a47f25680f6ffd4314212f563dcea0f46b81

Score

8^/10

evasion spyware stealer trojan upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

da_1648136254601.exe

pid process

4932 da_1648136254601.exe

pid	process
4932	da_1648136254601.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe	upx
C:\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a90fcb89e5c36783d14359dfd0d2462.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	0a90fcb89e5c36783d14359dfd0d2462.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0a90fcb89e5c36783d14359dfd0d2462.exeda_1648136254601.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a90fcb89e5c36783d14359dfd0d2462.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	da_1648136254601.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5100 4792 WerFault.exe 0a90fcb89e5c36783d14359dfd0d2462.exe

pid	pid_target	process	target process
5100	4792	WerFault.exe	0a90fcb89e5c36783d14359dfd0d2462.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

0a90fcb89e5c36783d14359dfd0d2462.exeda_1648136254601.exe

description	pid	process
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4932	da_1648136254601.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4932	da_1648136254601.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4932	da_1648136254601.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe
Token: SeManageVolumePrivilege	4792	0a90fcb89e5c36783d14359dfd0d2462.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0a90fcb89e5c36783d14359dfd0d2462.exe

description	pid	process	target process
PID 4792 wrote to memory of 4932	4792	0a90fcb89e5c36783d14359dfd0d2462.exe	da_1648136254601.exe
PID 4792 wrote to memory of 4932	4792	0a90fcb89e5c36783d14359dfd0d2462.exe	da_1648136254601.exe
PID 4792 wrote to memory of 4932	4792	0a90fcb89e5c36783d14359dfd0d2462.exe	da_1648136254601.exe

C:\Users\Admin\AppData\Local\Temp\0a90fcb89e5c36783d14359dfd0d2462.exe
"C:\Users\Admin\AppData\Local\Temp\0a90fcb89e5c36783d14359dfd0d2462.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe
  "C:\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 2832
  2⤵
  - Program crash
  PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4792 -ip 4792
1⤵
PID:3120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe

Filesize
2.0MB

MD5
369727c8448874edcbf2ad2db5f5271a

SHA1
f962a928e24071d2cf63b3e67abaca1d40b840b7

SHA256
fe06db434d5e0cca0d0c72627fc732bfca85d3708649464e5b61d814468ee739

SHA512
11cd32a2284f611da89788622414065804aacdebfaba8c07c48d2ffe18b063df6e8f5945f119a4335ce15daa97a455237c578c02bcf85cf4827542a205cb0970

Download Submit
C:\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe

Filesize
2.0MB

MD5
369727c8448874edcbf2ad2db5f5271a

SHA1
f962a928e24071d2cf63b3e67abaca1d40b840b7

SHA256
fe06db434d5e0cca0d0c72627fc732bfca85d3708649464e5b61d814468ee739

SHA512
11cd32a2284f611da89788622414065804aacdebfaba8c07c48d2ffe18b063df6e8f5945f119a4335ce15daa97a455237c578c02bcf85cf4827542a205cb0970

Download Submit
memory/4792-124-0x0000000002779000-0x0000000002A31000-memory.dmp

Filesize
2.7MB

Download
memory/4792-125-0x0000000002A40000-0x0000000002F38000-memory.dmp

Filesize
5.0MB

Download
memory/4792-126-0x0000000000400000-0x0000000000906000-memory.dmp

Filesize
5.0MB

Download
memory/4932-127-0x0000000000000000-mapping.dmp

Download
memory/4932-130-0x0000000004210000-0x0000000004220000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads