abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b

General

Target

abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
Size

1.0MB
MD5

1d56740f3a446659fcf761264ff7308c
SHA1

5e7bb105a14492bd580330f27a5c5221ebad6dc6
SHA256

abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b
SHA512

ca6b792c94279b845febbcc423417d019b5b5b293b12554b4ff9bee3a71ac9f659852759ab68569b55308366d116e9233fbbe7181f69cc233d140058ed62723a
SSDEEP

24576:KHfQGNcNwnEsE2oLgpHNSkfq0NF12NtCULF:U/5nYJLsHNhbgsUB

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3848-140-0x0000000000400000-0x0000000000645000-memory.dmp	upx
behavioral2/memory/3848-141-0x0000000000400000-0x0000000000645000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe"	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

description	pid	process	target process
PID 1404 set thread context of 3848	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FlagsModifiedValid = 0000000000000000	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DefaultCompressedRecord = c880f97f73754a6c7e66444a0dba16353aac949bbbda05a47ee14dab13322a7a0ecb36e80ed0e8824a6f42c208445141fadae081d08b391ddf3058f461d7decc15f360b0d781d695f64e76d68d26798b151733ff69677f60054bb10123a58c8584512288349e5f	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RecordModifiedMax = "DKZ4+X+q2klj4PhtTKXMo3x+xXaGKbvLZ5i5clXFGF6wTqqVMC8RHlT8iTKKLJNjKQ=="	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

pid	process
1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

pid	process
1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

C:\Users\Admin\AppData\Local\Temp\abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
"C:\Users\Admin\AppData\Local\Temp\abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
C:\Users\Admin\AppData\Local\Temp\abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
2⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
C:\Users\Admin\AppData\Local\Temp\abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
2⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
C:\Users\Admin\AppData\Local\Temp\abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
PID:3848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-133-0x0000000000000000-mapping.dmp

Download
memory/1404-135-0x0000000002A20000-0x0000000003469000-memory.dmp

Filesize
10.3MB

Download
memory/3848-134-0x0000000000000000-mapping.dmp

Download
memory/3848-136-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/3848-138-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/3848-139-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/3848-140-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/3848-141-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/4548-132-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1404 wrote to memory of 4548	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 4548	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 4548	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 1120	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 1120	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 1120	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 3848	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 3848	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 3848	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 3848	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 3848	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 3848	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 3848	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 3848	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe
PID 1404 wrote to memory of 3848	1404	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe	abf00d8ae247a10ce1a32e518b7850163ef7d6ef961bd06955d1903a8f22aa2b.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads