73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46

General

Target

73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
Size

110KB
MD5

877996da419cb48838d9769b24f6016c
SHA1

1bd1a5ef7668b1a26eaa0c96c3ad7140428b9597
SHA256

73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46
SHA512

d4752f4e250f7ffae3fcd77e6cfadcd5b5360f1e02618cb285b6d73fef8c580911b211fd09b33b0da5141d3d1c8f3d7923163b68955679cebfacbdb521b838d3
SSDEEP

3072:dUdvtJxKyKWGK3WtrHu6asw3rWe2LLcp/:dUdpzG2SrHxal3Ser

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SunJava.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SunJava.exe

Executes dropped EXE 1 IoCs

pid	Process
1852	SunJava.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4248-132-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4248-136-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/files/0x000b00000001e4f5-138.dat	upx
behavioral2/files/0x000b00000001e4f5-139.dat	upx
behavioral2/memory/1852-144-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4248-147-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1852-150-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJava = "C:\\Users\\Admin\\AppData\\Roaming\\Sunjava\\SunJava.exe"	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	mspaint.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3868	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4408	mspaint.exe
4408	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1852	SunJava.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4248	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
4248	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
4248	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
4248	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
1852	SunJava.exe
1852	SunJava.exe
1852	SunJava.exe
1852	SunJava.exe
4408	mspaint.exe
4336	OpenWith.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 1852	4248	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe	90
PID 4248 wrote to memory of 1852	4248	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe	90
PID 4248 wrote to memory of 1852	4248	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe	90
PID 4248 wrote to memory of 3708	4248	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe	91
PID 4248 wrote to memory of 3708	4248	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe	91
PID 4248 wrote to memory of 3708	4248	73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe	91
PID 4596 wrote to memory of 4408	4596	explorer.exe	95
PID 4596 wrote to memory of 4408	4596	explorer.exe	95
PID 1852 wrote to memory of 1244	1852	SunJava.exe	96
PID 1852 wrote to memory of 1244	1852	SunJava.exe	96
PID 1852 wrote to memory of 1244	1852	SunJava.exe	96
PID 1852 wrote to memory of 4204	1852	SunJava.exe	99
PID 1852 wrote to memory of 4204	1852	SunJava.exe	99
PID 1852 wrote to memory of 4204	1852	SunJava.exe	99
PID 1852 wrote to memory of 3868	1852	SunJava.exe	101
PID 1852 wrote to memory of 3868	1852	SunJava.exe	101
PID 1852 wrote to memory of 3868	1852	SunJava.exe	101

C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
"C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Roaming\Sunjava\SunJava.exe
  C:\Users\Admin\AppData\Roaming\Sunjava\SunJava.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\makecab.exe
    makecab "C:\Users\Admin\AppData\Roaming\signons.sqlite" "C:\Users\Admin\AppData\Roaming\sig.cab"
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "dir C:\ /a"
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\regedit.exe
    regedit /e "C:\Users\Admin\AppData\Local\Temp\XZIOFAVD___Admin__Screen__10-21-07IE.reg" "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\"
    3⤵
    - Runs .reg file with regedit
    PID:3868
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.jpg
  2⤵
  PID:3708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.jpg" /ForceBootstrapPaint3D
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.jpg

Filesize
1.2MB

MD5
04ee3f40f19c1d1ff3a105d9d9b3a425

SHA1
a2d69f21f7a349c9297f955d65cc0a7270ac2ea4

SHA256
206de912b6a81a54aaf5376e7e45ec9de5db68860596e41796757cf91b909c80

SHA512
fe4650d5221e5799f1365dc2a5f9664002da569f86ca51d9076b720eb602440de386ba6ce18d1824a85870ea3b80a490618890ce3f1b966fed16c7f8fe9bc980

Download Submit
C:\Users\Admin\AppData\Roaming\SunJava\SunJava.exe

Filesize
110KB

MD5
877996da419cb48838d9769b24f6016c

SHA1
1bd1a5ef7668b1a26eaa0c96c3ad7140428b9597

SHA256
73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46

SHA512
d4752f4e250f7ffae3fcd77e6cfadcd5b5360f1e02618cb285b6d73fef8c580911b211fd09b33b0da5141d3d1c8f3d7923163b68955679cebfacbdb521b838d3

Download Submit
C:\Users\Admin\AppData\Roaming\Sunjava\SunJava.exe

Filesize
110KB

MD5
877996da419cb48838d9769b24f6016c

SHA1
1bd1a5ef7668b1a26eaa0c96c3ad7140428b9597

SHA256
73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46

SHA512
d4752f4e250f7ffae3fcd77e6cfadcd5b5360f1e02618cb285b6d73fef8c580911b211fd09b33b0da5141d3d1c8f3d7923163b68955679cebfacbdb521b838d3

Download Submit
C:\Users\Admin\AppData\Roaming\sig.cab

Filesize
75B

MD5
301a095ccbd67a5b228517e1eeab8a68

SHA1
7c2d91b8a59398957325153a4d1dfd5dcebe81a0

SHA256
e54beebd083043c6a7a1a0a8029b50f3cded2a2833123d457a948204a959248a

SHA512
f36a3073b1d6df2a941408138b6793bc27d0b75d1fc02afea3d274532828d6882ccf64909de3fd4a47f5e3198d6ade5a1aa7f2e05367a5ddca6d889f2724a675

Download Submit
memory/1852-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-152-0x00000281EED70000-0x00000281EED80000-memory.dmp

Filesize
64KB

Download
memory/4288-153-0x00000281EEDB0000-0x00000281EEDC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads