57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c

General

Target

57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
Size

1.0MB
MD5

25bed3c8fa9093fac7c9369482a47e9b
SHA1

92625ab907d26918705dfb7c779630a2df652487
SHA256

57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c
SHA512

101ad00f587a160d9941bdb6798c597d5b734c82ae261d3acc33169dbaba12ea38cab1ff57fbf1dea895d9fa4ce88b4aed80b91cad34755de72965be8eb63980

Score

10^/10

discovery persistence spyware stealer suricata upx

Malware Config

Signatures

suricata: ET MALWARE Win32/Kelihos.F Checkin
suricata: ET MALWARE Win32/Kelihos.F Checkin
suricata

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2588-138-0x0000000000400000-0x0000000000645000-memory.dmp	upx
behavioral2/memory/2588-139-0x0000000000400000-0x0000000000645000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe"	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

description	pid	process	target process
PID 4892 set thread context of 2588	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DefaultCompressedRecord = c880f97f739000d8c0e9f8d5f3bc7ca848e41abe68baadc4f304192313a34eb1dd76446fb5b01ad383799bea67f2233d7e9439b23f090f8bd2e230b0da3d73bc47d0870f1adba24ceb4527ecdf0bd2a2da5932fb16677fa6d714aa061ea4b7f874ab78d280974e	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RecordModifiedMax = "DEtuB6yYLIup5yqFOb6b5mvuVnxBnwsBlB6Mq3kjItMk+86lD4vo9bRS68HPwbqIFg=="	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FlagsModifiedValid = 0000000000000000	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

pid	process
4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

pid	process
4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

C:\Users\Admin\AppData\Local\Temp\57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
"C:\Users\Admin\AppData\Local\Temp\57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Temp\57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
C:\Users\Admin\AppData\Local\Temp\57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
2⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
C:\Users\Admin\AppData\Local\Temp\57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
2⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
C:\Users\Admin\AppData\Local\Temp\57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-130-0x0000000000000000-mapping.dmp

Download
memory/2588-132-0x0000000000000000-mapping.dmp

Download
memory/2588-133-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/2588-135-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/2588-137-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/2588-138-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/2588-139-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/2612-131-0x0000000000000000-mapping.dmp

Download
memory/4892-136-0x0000000002940000-0x0000000003388000-memory.dmp

Filesize
10.3MB

Download

description	pid	process	target process
PID 4892 wrote to memory of 2004	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2004	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2004	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2612	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2612	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2612	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2588	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2588	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2588	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2588	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2588	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2588	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2588	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2588	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe
PID 4892 wrote to memory of 2588	4892	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe	57420cddf2a44e063fbe4bd91c5b2f6e42f28110be542aebb91875a59dfa580c.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads