f961ab990bb222718ec6602a854dd7395926f0813028799b7f367aec91382c57

Analysis

max time kernel
150s
max time network
158s
platform
windows7_x64
resource
win7-20220414-es
submitted
23-06-2022 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_.exe
Size

325KB
MD5

04704493bcdc4d0c1c9d0fd8ebf5afbc
SHA1

95d64b037a8d0c5d8318a7c1429d89529ac5c766
SHA256

28225c5622637cdaed8342e14560e8de7b53dd6ba145d973643fc4b5bdd67b75
SHA512

ed06b9f7931326ff6923b65e95db45931b21995aa8b52eb26f578017e5b60bee7139251bc3fedc65fc7becb7e1d7d4dfdaa17361d01d8d36ebd770c9142c5c8d

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

setup-stub.exe

pid process

852 setup-stub.exe

pid	process
852	setup-stub.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/2016-68-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Loads dropped DLL 8 IoCs

Processes:

_.exesetup-stub.exe

pid process

2016 _.exe
852 setup-stub.exe
852 setup-stub.exe
852 setup-stub.exe
852 setup-stub.exe
852 setup-stub.exe
852 setup-stub.exe
852 setup-stub.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2016	_.exe
852	setup-stub.exe
852	setup-stub.exe
852	setup-stub.exe
852	setup-stub.exe
852	setup-stub.exe
852	setup-stub.exe
852	setup-stub.exe

Drops file in Program Files directory 6 IoCs

Processes:

setup-stub.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\nst2723.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nst2725.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nst2726.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nst2725.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nst2723.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nst2724.tmp	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

setup-stub.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main setup-stub.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	setup-stub.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

setup-stub.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8BDFDCAA3D53E97D1940ED9FD6F8AD5D00EACD83\Blob = 190000000100000010000000a8355bdb761b1b8acb37320dbda0c5b10f0000000100000020000000a7028b93aeeb88736b4c31672adc13d76a07f13eec230e098b6d988560458c4f0300000001000000140000008bdfdcaa3d53e97d1940ed9fd6f8ad5d00eacd83140000000100000014000000cd7c6be15b815b8e3c4409e537c311309c7b322d2000000001000000f9020000308202f5308201dda0030201020210073421b2bd315caa4aa75fb9f86f400d300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393130303030305a170d3237303432383130303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a70999e270175984af774b12da719c9536b539022abf420b6223456c88b1adf2615b9ccc196383a3181f68f9657ab40f13405b6a06fe4dfe3d0352dac1f0f138eb03a8d60aefe7e2b2e77b38f6ad2a64f8ee807c34861b4d12e65612055d60ca41908207c127d62178d4bbdd34430f7f0b647c2c333b77ac8e1689be17852331c1bd3e836dd656231ab112fa67501f1ffe3bbd1adc17325e442d22247be092fe51c0e32daa34653184e7d254f25358d104a4c7b15ff931d46bd7a7e800f91cf3aa89922fa7d98c6e93e76ad2391892a21afb32cacbd3aa26e205f8bce123f076517668596b833fd64ac38a63b40234d9ce4bb3bb08cb4aa295bc6966cd3613f90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414cd7c6be15b815b8e3c4409e537c311309c7b322d300d06092a864886f70d01010b0500038201010087d2408a5a0d7a02136b84fd81d791a9d83485919135ac495d42dd38520577bb2592f492818192397db4ee723912d824c514887c3d7ae34c9b33cf3393db9b0549d2a8d84c2aed04a9731fd7670f2ea7ade92453231eac4b4a3e05256a800e933d70665c640a70718ce770e892cc0d0401d5039c6426d7fc3c9b456641d2e93f662b413197d063309915a6dd832aea728c2c149a3e40273cd7d985fd54caebee833c1e405ca8b1f3fd0bac7f8196022f308b8c8f3ac06d86f65ee3638862d8c793b31fce9435dbd9c630ef7928b093e414ed6c9925f989b076059f55e12a6cd6bfa5644c33d79cac98665b826cef1d719908fbeff276e6c7ff6e1c50b7215c84	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8BDFDCAA3D53E97D1940ED9FD6F8AD5D00EACD83	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8BDFDCAA3D53E97D1940ED9FD6F8AD5D00EACD83\Blob = 0f0000000100000020000000a7028b93aeeb88736b4c31672adc13d76a07f13eec230e098b6d988560458c4f0300000001000000140000008bdfdcaa3d53e97d1940ed9fd6f8ad5d00eacd832000000001000000f9020000308202f5308201dda0030201020210073421b2bd315caa4aa75fb9f86f400d300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393130303030305a170d3237303432383130303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a70999e270175984af774b12da719c9536b539022abf420b6223456c88b1adf2615b9ccc196383a3181f68f9657ab40f13405b6a06fe4dfe3d0352dac1f0f138eb03a8d60aefe7e2b2e77b38f6ad2a64f8ee807c34861b4d12e65612055d60ca41908207c127d62178d4bbdd34430f7f0b647c2c333b77ac8e1689be17852331c1bd3e836dd656231ab112fa67501f1ffe3bbd1adc17325e442d22247be092fe51c0e32daa34653184e7d254f25358d104a4c7b15ff931d46bd7a7e800f91cf3aa89922fa7d98c6e93e76ad2391892a21afb32cacbd3aa26e205f8bce123f076517668596b833fd64ac38a63b40234d9ce4bb3bb08cb4aa295bc6966cd3613f90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414cd7c6be15b815b8e3c4409e537c311309c7b322d300d06092a864886f70d01010b0500038201010087d2408a5a0d7a02136b84fd81d791a9d83485919135ac495d42dd38520577bb2592f492818192397db4ee723912d824c514887c3d7ae34c9b33cf3393db9b0549d2a8d84c2aed04a9731fd7670f2ea7ade92453231eac4b4a3e05256a800e933d70665c640a70718ce770e892cc0d0401d5039c6426d7fc3c9b456641d2e93f662b413197d063309915a6dd832aea728c2c149a3e40273cd7d985fd54caebee833c1e405ca8b1f3fd0bac7f8196022f308b8c8f3ac06d86f65ee3638862d8c793b31fce9435dbd9c630ef7928b093e414ed6c9925f989b076059f55e12a6cd6bfa5644c33d79cac98665b826cef1d719908fbeff276e6c7ff6e1c50b7215c84	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8BDFDCAA3D53E97D1940ED9FD6F8AD5D00EACD83\Blob = 140000000100000014000000cd7c6be15b815b8e3c4409e537c311309c7b322d0300000001000000140000008bdfdcaa3d53e97d1940ed9fd6f8ad5d00eacd830f0000000100000020000000a7028b93aeeb88736b4c31672adc13d76a07f13eec230e098b6d988560458c4f2000000001000000f9020000308202f5308201dda0030201020210073421b2bd315caa4aa75fb9f86f400d300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393130303030305a170d3237303432383130303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a70999e270175984af774b12da719c9536b539022abf420b6223456c88b1adf2615b9ccc196383a3181f68f9657ab40f13405b6a06fe4dfe3d0352dac1f0f138eb03a8d60aefe7e2b2e77b38f6ad2a64f8ee807c34861b4d12e65612055d60ca41908207c127d62178d4bbdd34430f7f0b647c2c333b77ac8e1689be17852331c1bd3e836dd656231ab112fa67501f1ffe3bbd1adc17325e442d22247be092fe51c0e32daa34653184e7d254f25358d104a4c7b15ff931d46bd7a7e800f91cf3aa89922fa7d98c6e93e76ad2391892a21afb32cacbd3aa26e205f8bce123f076517668596b833fd64ac38a63b40234d9ce4bb3bb08cb4aa295bc6966cd3613f90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414cd7c6be15b815b8e3c4409e537c311309c7b322d300d06092a864886f70d01010b0500038201010087d2408a5a0d7a02136b84fd81d791a9d83485919135ac495d42dd38520577bb2592f492818192397db4ee723912d824c514887c3d7ae34c9b33cf3393db9b0549d2a8d84c2aed04a9731fd7670f2ea7ade92453231eac4b4a3e05256a800e933d70665c640a70718ce770e892cc0d0401d5039c6426d7fc3c9b456641d2e93f662b413197d063309915a6dd832aea728c2c149a3e40273cd7d985fd54caebee833c1e405ca8b1f3fd0bac7f8196022f308b8c8f3ac06d86f65ee3638862d8c793b31fce9435dbd9c630ef7928b093e414ed6c9925f989b076059f55e12a6cd6bfa5644c33d79cac98665b826cef1d719908fbeff276e6c7ff6e1c50b7215c84	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup-stub.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

setup-stub.exe

pid process

852 setup-stub.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

setup-stub.exe

pid process

852 setup-stub.exe
852 setup-stub.exe

pid	process
852	setup-stub.exe

pid	process
852	setup-stub.exe
852	setup-stub.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

_.exe

description	pid	process	target process
PID 2016 wrote to memory of 852	2016	_.exe	setup-stub.exe
PID 2016 wrote to memory of 852	2016	_.exe	setup-stub.exe
PID 2016 wrote to memory of 852	2016	_.exe	setup-stub.exe
PID 2016 wrote to memory of 852	2016	_.exe	setup-stub.exe
PID 2016 wrote to memory of 852	2016	_.exe	setup-stub.exe
PID 2016 wrote to memory of 852	2016	_.exe	setup-stub.exe
PID 2016 wrote to memory of 852	2016	_.exe	setup-stub.exe

C:\Users\Admin\AppData\Local\Temp\_.exe
"C:\Users\Admin\AppData\Local\Temp\_.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\7zS0E7FC03C\setup-stub.exe
.\setup-stub.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0E7FC03C\setup-stub.exe
Filesize
464KB

MD5
32b1aed8cda8677b31c3cec33b982462

SHA1
5966299d342e5c0a123551c49f97324494cd48ea

SHA256
d7840eea40a5a88af824f24473e95d0227e69c4439d6ea791d50cb94bf0cfb2a

SHA512
b9b33072350eff2f90e8e5bb84af9c78592c39bebeb8abc5775eb4f2cf87de2873e42d2ed3124772ead4b18a5618bf4a519bf334de0d07f2e87f5862c55454c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E7FC03C\setup-stub.exe
Filesize
464KB

MD5
32b1aed8cda8677b31c3cec33b982462

SHA1
5966299d342e5c0a123551c49f97324494cd48ea

SHA256
d7840eea40a5a88af824f24473e95d0227e69c4439d6ea791d50cb94bf0cfb2a

SHA512
b9b33072350eff2f90e8e5bb84af9c78592c39bebeb8abc5775eb4f2cf87de2873e42d2ed3124772ead4b18a5618bf4a519bf334de0d07f2e87f5862c55454c7

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E7FC03C\setup-stub.exe
Filesize
464KB

MD5
32b1aed8cda8677b31c3cec33b982462

SHA1
5966299d342e5c0a123551c49f97324494cd48ea

SHA256
d7840eea40a5a88af824f24473e95d0227e69c4439d6ea791d50cb94bf0cfb2a

SHA512
b9b33072350eff2f90e8e5bb84af9c78592c39bebeb8abc5775eb4f2cf87de2873e42d2ed3124772ead4b18a5618bf4a519bf334de0d07f2e87f5862c55454c7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\CityHash.dll
Filesize
43KB

MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\InetBgDL.dll
Filesize
7KB

MD5
d4f7b4f9c296308e03a55cb0896a92fc

SHA1
63065bed300926a5b39eabf6efdf9296ed46e0cc

SHA256
6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

SHA512
d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\UAC.dll
Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\UserInfo.dll
Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\UserInfo.dll
Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\WebBrowser.dll
Filesize
93KB

MD5
dfe24aa39f009e9d98b20b7c9cc070b1

SHA1
f48e4923c95466f689e8c5408265b52437ed2701

SHA256
8ec65a3d8ae8a290a6066773e49387fd368f5697392dfb58eac1b63640e30444

SHA512
665ce32d3776b1b41f95ed685054a796d0c1938dbc237619fa6309d1b52ae3bd44e3cf0a1f53ebf88556f7603111cca6dff1bfc917a911e0a9ce04affd0d5261

Download Submit
memory/852-57-0x0000000075F11000-0x0000000075F13000-memory.dmp

Filesize
8KB

Download
memory/852-65-0x00000000741E1000-0x00000000741E3000-memory.dmp

Filesize
8KB

Download
memory/852-64-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/852-55-0x0000000000000000-mapping.dmp

Download
memory/2016-68-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download