c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d

General

Target

c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
Size

1020KB
MD5

9006c9911198d79d9c4b89c2d5b051d8
SHA1

47856b1b9ea7a2faecc503945ba00c72ff22d0d9
SHA256

c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d
SHA512

6cb17034804c0d97f2626a175cb827637e3de286186b13e712d6d695696310025a324d2fa519919ff451a611b42874da1b442f1391ebd5d12836c343c4a1af92
SSDEEP

24576:DuFgLEjbjzAUFZWkXuBdVsqPHxBvTmvODg28oQ:DWgLAEWDIzvaL2vQ

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4812-132-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4788-141-0x0000000000400000-0x0000000000646000-memory.dmp	upx
behavioral2/memory/4788-142-0x0000000000400000-0x0000000000646000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe"	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4812 set thread context of 4788	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	83

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FlagsModifiedValid = 0000000000000000	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DefaultCompressedRecord = c880f97f73cd6d781563f19d70742989ed6e5bb7101e0ea8f3aa1cf20bc750d89dc810379f1037b3c4d037c2227d85de46a57438f775e61dba640148a33319bfd3e8fe2ede9c28eb842b8dba303973c1599f947805677fc6cd098cc9bd1d84c4fd3c7c22fca925	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RecordModifiedMax = "DA55GMXj1bvbQK6k48Dbsbpars6ZuDeOL25uMxdDOuXv8iH636DpJDSh/fQ8gpjCKA=="	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4752	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	82
PID 4812 wrote to memory of 4752	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	82
PID 4812 wrote to memory of 4752	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	82
PID 4812 wrote to memory of 4924	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	84
PID 4812 wrote to memory of 4924	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	84
PID 4812 wrote to memory of 4924	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	84
PID 4812 wrote to memory of 4788	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	83
PID 4812 wrote to memory of 4788	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	83
PID 4812 wrote to memory of 4788	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	83
PID 4812 wrote to memory of 4788	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	83
PID 4812 wrote to memory of 4788	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	83
PID 4812 wrote to memory of 4788	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	83
PID 4812 wrote to memory of 4788	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	83
PID 4812 wrote to memory of 4788	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	83
PID 4812 wrote to memory of 4788	4812	c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe	83

C:\Users\Admin\AppData\Local\Temp\c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
"C:\Users\Admin\AppData\Local\Temp\c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
  C:\Users\Admin\AppData\Local\Temp\c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
  2⤵
  PID:4752
- C:\Users\Admin\AppData\Local\Temp\c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
  C:\Users\Admin\AppData\Local\Temp\c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
  2⤵
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  PID:4788
- C:\Users\Admin\AppData\Local\Temp\c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
  C:\Users\Admin\AppData\Local\Temp\c0f05b22f98ea984d67863986d2cf07fb72a15916e38a70cbb7b65e9a5d3082d.exe
  2⤵
  PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4788-139-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4788-136-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4788-140-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4788-141-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4788-142-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4812-132-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4812-137-0x0000000002180000-0x0000000002184000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads