3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247

General

Target

3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
Size

1.0MB
MD5

d53533f51dd198a6c3c97af1f91d3b9c
SHA1

95a6a66f24022ce2ce153aee3e6725434713169d
SHA256

3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247
SHA512

a4099bd664a1998ec7ddbef7c7ec1dba8ddbc1e80c0a8c9b2052d28a207ccc1a4f510187d46c5518620defa73045f293c65c3fecab7f17189f9666d22d167132
SSDEEP

24576:tCQ/KUYbAD1z1g1sOcpdtWcZ/I+cMHU4b8alMVIP1U4QeYjr:VYbA5z1gGOcpXbI+Rb3lFP1U5l

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4592-140-0x0000000000400000-0x0000000000645000-memory.dmp	upx
behavioral2/memory/4592-141-0x0000000000400000-0x0000000000645000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe"	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

description	pid	process	target process
PID 1324 set thread context of 4592	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DefaultCompressedRecord = c880f97f730ddf271b3ba4da63f65771c438b3e9d59faeaa947dc8acdb931ce1fdebd7bded4bf0ca0364c1f01fe14e6f93518bddff80a1a77fd9d77a13017afb230c9ec1c4a101935c5cdfded689e7b77482201a0e677fed0544415787a737e4e695431998f782	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RecordModifiedMax = "DFfKPEDUHMDtYSAURT7Fv0H91sk2REbA4Neijz99mcbkFLIyZbxdnbOpsXB2eK7+8A=="	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FlagsModifiedValid = 0000000000000000	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

pid	process
1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

pid process

1324 3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

C:\Users\Admin\AppData\Local\Temp\3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
"C:\Users\Admin\AppData\Local\Temp\3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
"C:\Users\Admin\AppData\Local\Temp\3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe"
2⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
"C:\Users\Admin\AppData\Local\Temp\3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe"
2⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
"C:\Users\Admin\AppData\Local\Temp\3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe"
2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-136-0x0000000002FA0000-0x0000000002FA4000-memory.dmp

Filesize
16KB

Download
memory/4476-132-0x0000000000000000-mapping.dmp

Download
memory/4592-134-0x0000000000000000-mapping.dmp

Download
memory/4592-135-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/4592-138-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/4592-139-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/4592-140-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/4592-141-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/4620-133-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1324 wrote to memory of 4476	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4476	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4476	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4620	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4620	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4620	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4592	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4592	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4592	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4592	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4592	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4592	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4592	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4592	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe
PID 1324 wrote to memory of 4592	1324	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe	3b62b213c0f302d8b8ee8fe58921b31f0adf6bb7dd7b3cdacd37690d7a0ab247.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads