4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219

General

Target

4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
Size

1.5MB
MD5

d4d3ebbcb0420f3ec143748e61537e70
SHA1

b3eac6fb329c5c9921446a05a1e96db57b9c6982
SHA256

4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219
SHA512

13db3372b8070b057c1f3ad046fe8212a327233191fd13568c8733560b74d76b14cd7825b1043196eb9bbd357cc4661c11a67245429c679056a6279ef1783b2d
SSDEEP

24576:GJbNfxcmJFhyoT8iniabEzZ15UaHcYuxX2KN/rSnysBIhq8bu0B3q1UNJjf/vjUm:GtzFsY5idZ1sxGi3sqqc2UPfXFZ

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1912-141-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral2/memory/1912-142-0x0000000000400000-0x000000000063E000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe"	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1912	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DefaultCompressedRecord = c880f97f73d3cf7f0e87912315b54875495ccff6abfafcaf7c4f158b8186f5a50805f1c199068f069b4dabc43ae8b3c4222a52968402e309c9a310979a01f945ac8905eaa4c2dd0a1586975e5ed540132268ad6102677fa15caad90df3b5dd6be08d595bd678c7	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RecordModifiedMax = "DGRzTSAPO+ILL/AugBgiun7uIMDggOTFiKXEvTAqaC41ODqfhQmnLTbOLGiW944g0A=="	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FlagsModifiedValid = 0000000000000000	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4412	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	81
PID 2508 wrote to memory of 4412	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	81
PID 2508 wrote to memory of 4412	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	81
PID 2508 wrote to memory of 700	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	82
PID 2508 wrote to memory of 700	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	82
PID 2508 wrote to memory of 700	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	82
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83
PID 2508 wrote to memory of 1912	2508	4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe	83

C:\Users\Admin\AppData\Local\Temp\4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
"C:\Users\Admin\AppData\Local\Temp\4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
  C:\Users\Admin\AppData\Local\Temp\4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
  2⤵
  PID:4412
- C:\Users\Admin\AppData\Local\Temp\4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
  C:\Users\Admin\AppData\Local\Temp\4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
  2⤵
  PID:700
- C:\Users\Admin\AppData\Local\Temp\4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
  C:\Users\Admin\AppData\Local\Temp\4d19028ab9b9f446a8ec98f2b41c46fc976f936c9ce505f8e19eb30d9e6c2219.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1912-135-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1912-137-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1912-138-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1912-139-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1912-140-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1912-141-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1912-142-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/2508-136-0x0000000002320000-0x0000000002324000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads