56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192

General

Target

56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
Size

1.0MB
MD5

587407fe5a8d4a3c7c499a10bff9e36a
SHA1

af7e22ae5c956d8f7e39cbb3e3623b4ea9d4f94d
SHA256

56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192
SHA512

848a997e1dd9041d1e07a749e953901caa90449fe58ea26277db29337dd610c18b8cffaff47e71e98978a40f9fb64dc35ea3c0aa03d9ce09a960c5f059eaa070

Score

10^/10

discovery persistence spyware stealer suricata upx

Malware Config

Signatures

suricata: ET MALWARE Win32/Kelihos.F Checkin
suricata: ET MALWARE Win32/Kelihos.F Checkin
suricata

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3904-138-0x0000000000400000-0x0000000000645000-memory.dmp	upx
behavioral2/memory/3904-139-0x0000000000400000-0x0000000000645000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe"	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

description	pid	process	target process
PID 1816 set thread context of 3904	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Internet Explorer\Main	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DefaultCompressedRecord = c880f97f731ddef37e0fe74fcfe604748f870664da36b05ce9913a594efe2cacd6e6cd9cfafad71b1aba933b4ac36e086fe404ed60851a38ead925c3a68e7c74b5ae2f4226b36e2f8e33d1105c4ad4f8b9f75645fd677f8a3e143d47d446eb8f9e4624dcd622c2	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RecordModifiedMax = "DAl8NlRxxeXQVZQ1EN4x5prqyWIAHCWYTFZJ53RphpQDsZLgTBhtbTbVOy/PhsV8ow=="	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FlagsModifiedValid = 0000000000000000	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

pid	process
1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

pid	process
1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

C:\Users\Admin\AppData\Local\Temp\56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
"C:\Users\Admin\AppData\Local\Temp\56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
"C:\Users\Admin\AppData\Local\Temp\56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe"
2⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
"C:\Users\Admin\AppData\Local\Temp\56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe"
2⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
"C:\Users\Admin\AppData\Local\Temp\56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe"
2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
PID:3904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1816-130-0x0000000000A70000-0x0000000000A74000-memory.dmp

Filesize
16KB

Download
memory/3428-131-0x0000000000000000-mapping.dmp

Download
memory/3904-133-0x0000000000000000-mapping.dmp

Download
memory/3904-134-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/3904-136-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/3904-137-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/3904-138-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/3904-139-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/4392-132-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1816 wrote to memory of 3428	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 3428	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 3428	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 4392	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 4392	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 4392	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 3904	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 3904	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 3904	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 3904	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 3904	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 3904	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 3904	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 3904	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe
PID 1816 wrote to memory of 3904	1816	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe	56735166d8ba22753eb9f6b11935613deeec9f76cd60150712d83a0dc11fa192.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads