553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab

General

Target

553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe
Size

57KB
MD5

84b6c6260e09970104c45f1d12c95820
SHA1

4142544b9c8d9c0735e8b6ba86578541a05090c5
SHA256

553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab
SHA512

0819b89a3bf4373ef55de4d97c9c90cc83e467007fafb9928535b90913b1dc063c07d91bd6d107af4cd0dfcbab1340b7868697f62a4ba3916b2d00ca20b53664
SSDEEP

1536:4c+gdLv5ETz8OhKoEjXQspbK0o9zPbJZIvDEr9:7DKEjPpO0o9jF

Score

8^/10

evasion spyware stealer trojan upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1672-54-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1672-56-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanTIF = "1"	553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\UseAllowList = "0"	553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\ClearBrowsingHistoryOnExit = "1"	553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AB00E3B6DA03470E4BE5418FDF86E3E1706ED813	553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AB00E3B6DA03470E4BE5418FDF86E3E1706ED813\Blob = 030000000100000014000000ab00e3b6da03470e4be5418fdf86e3e1706ed8132000000001000000b4040000308204b030820398a003020102020900d55bfc2cbeb7e381300d06092a864886f70d0101050500308196310b3009060355040613025255310f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f7731133011060355040a130a546861777465204c746431383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311630140603550403130d546861777465204c7464204341301e170d3132303830313131353834355a170d3133303830313131353834355a308196310b3009060355040613025255310f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f7731133011060355040a130a546861777465204c746431383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311630140603550403130d546861777465204c746420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ecd0dd9bf73afbdd0b0da1d505bff0e91b75ebc920dd4c7610a75e49ec5ead75ee80d79078e4290eaae466616ae267776963a62ef9c957f1399254546f6e8be1557189742e46964aaab18349d831d10c8c78b8369023427c55ed63ac7c72886fe917b51a69da524e11165b679efef0653e7f4eaf69299fda68e63b17ba363355b1d58c06ff5e168e3353387323fd0ca8b6e23a54e4d07ad52d62b94752e51736a57e36f3c643628ddf9069df47e7443c55ab37a3e94f4d7d2afb4a2f571e0da74f28ab7d1888eac181e705007069e3702b97cb5c0e0e512c5d6be01b46d68605eab94a93239451de617bb7c8f45b537f73238cbbd0e192950e421010bab37e350203010001a381fe3081fb301d0603551d0e04160414d896b3d404415dfdf968fc3178717de163c414073081cb0603551d230481c33081c08014d896b3d404415dfdf968fc3178717de163c41407a1819ca48199308196310b3009060355040613025255310f300d060355040813064d6f73636f77310f300d060355040713064d6f73636f7731133011060355040a130a546861777465204c746431383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311630140603550403130d546861777465204c7464204341820900d55bfc2cbeb7e381300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009a56016fd4880f1313ea09139b7a293f2a3ad9de7c009f0f2e21f7f855a9787da2442df86fae85e6c1fe7ba1ca41a64ecb94a134e2c2b81e54f57abdc399c10dbe8df341134999e63e4ec8b7e88eb813e1f24e8accd2fc4acf596392878511cb8b102eb80e561b91878dfc379c23ac0027cfed2cfe52804f7d1a646a62bc322ac08792ac57bb9c96dabdaba4b1d180564c63446397965a156f1503c842ec9a9164e1a19574fc039dc6420b15e13a34f43fd9cbd9a7ad0ac26b49a3b68aa6cfc7ac31c0b5ac687a8f402e00b5410a6a93907b245e40d772d2139ccd1f7c6e210255c797f811e12336b525abdf90ec517de75cbd23e93374ea15d73c9fe4041956	553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1672	553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe
Token: SeBackupPrivilege	1672	553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe
Token: SeRestorePrivilege	1672	553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe
Token: SeBackupPrivilege	1672	553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe

C:\Users\Admin\AppData\Local\Temp\553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe
"C:\Users\Admin\AppData\Local\Temp\553dc921604d7837bee08a9e1ecdd7a2299355c9cb7985d04c5e5367866181ab.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-54-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1672-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-56-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads