83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f

Analysis

max time kernel
165s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe
Size

895KB
MD5

9d51fdf78ee92e349efdebcb46094b96
SHA1

8984013634849c89127152f956fa4094ad15e4d0
SHA256

83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f
SHA512

523a469c72f9e27128abf7807a5a7343a26af58fef858693042178262ef03b5aea6a39cf6efff810c338bbb4e5c9e56eb689e5843af230092d9bbfe06ed7eea4
SSDEEP

24576:yS/EKKA1XZCMp5nPPkLuQhHxGTqkEt6Rpu2mGPQ5rBvbMPIKLeX1:yIEKKAHR5PMLu0g7RppgrxWBLeX1

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1512-132-0x0000000000FF0000-0x000000000122E000-memory.dmp	upx
behavioral2/memory/1512-133-0x0000000000FF0000-0x000000000122E000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe"	83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main	83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DefaultCompressedRecord = d980f97f73c6305e27baef93873db84846bbeb3e260c050b54a08f5cccbdfd83968d94b6384aa7959330420f70295410c48280d6cc23c0bae997483d7b472073aa7bdedd1db93cf083dba07ff951508f3d6f8e9f62677f9711022b506f48a1f26116f82ab6bc0d	83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RecordModifiedMax = "DPXGXDU3MoJPWOXEKtpH7091YsKGS1eSRWTQiMDMgj9udd7IIYoR9SJiMYl2oVA36A=="	83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FlagsModifiedValid = 0000000000000000	83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe

C:\Users\Admin\AppData\Local\Temp\83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe
"C:\Users\Admin\AppData\Local\Temp\83aaa1b54fca86ff4d36be3927c59cc7c0e259e1dee1f28327bde64115e98e1f.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-132-0x0000000000FF0000-0x000000000122E000-memory.dmp

Filesize
2.2MB

Download
memory/1512-133-0x0000000000FF0000-0x000000000122E000-memory.dmp

Filesize
2.2MB

Download