21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1

General

Target

21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe
Size

1.1MB
MD5

23f8408e384963490f0e27f692e71d31
SHA1

e73c160b9cd415665daac6c6c09cb791f0d383ab
SHA256

21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1
SHA512

104c2c29c8f3559d2f5de0f2684d8660fc55b9a61d130202b3e6d626cbcc690faa2c1eb1021220249802b77f2d475403a3408962b8c8e13b45649d1d58f0b805
SSDEEP

24576:y9J0Mqc6H34ZSa8tR6nGGDxRBNzIzNpdTt9hwiqU18Y9ljUy:ul668yj3BNszh5cNU1J9lwy

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-70-0x0000000000400000-0x0000000000645000-memory.dmp	upx
behavioral1/memory/1972-71-0x0000000000400000-0x0000000000645000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe"	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 976 set thread context of 1972	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe
976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 848	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	27
PID 976 wrote to memory of 848	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	27
PID 976 wrote to memory of 848	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	27
PID 976 wrote to memory of 848	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	27
PID 976 wrote to memory of 664	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	28
PID 976 wrote to memory of 664	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	28
PID 976 wrote to memory of 664	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	28
PID 976 wrote to memory of 664	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	28
PID 976 wrote to memory of 1972	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	29
PID 976 wrote to memory of 1972	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	29
PID 976 wrote to memory of 1972	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	29
PID 976 wrote to memory of 1972	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	29
PID 976 wrote to memory of 1972	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	29
PID 976 wrote to memory of 1972	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	29
PID 976 wrote to memory of 1972	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	29
PID 976 wrote to memory of 1972	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	29
PID 976 wrote to memory of 1972	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	29
PID 976 wrote to memory of 1972	976	21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe	29

C:\Users\Admin\AppData\Local\Temp\21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe
"C:\Users\Admin\AppData\Local\Temp\21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe
  "C:\Users\Admin\AppData\Local\Temp\21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe"
  2⤵
  PID:848
- C:\Users\Admin\AppData\Local\Temp\21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe
  "C:\Users\Admin\AppData\Local\Temp\21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe"
  2⤵
  PID:664
- C:\Users\Admin\AppData\Local\Temp\21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe
  "C:\Users\Admin\AppData\Local\Temp\21d74555b5d872f9170f7fc5c5c16faaa6a7788ffb25d103aca644e31ac8bed1.exe"
  2⤵
  - Adds Run key to start application
  PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/976-66-0x0000000000380000-0x0000000000384000-memory.dmp

Filesize
16KB

Download
memory/1972-63-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1972-58-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1972-60-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1972-62-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1972-57-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1972-55-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/1972-67-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1972-68-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1972-70-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1972-71-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing