955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16

General

Target

955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
Size

1.5MB
MD5

dbbed8cdfdd9b566cf7bd3f7a80feb98
SHA1

94e7dbfb25a8278da08137ab32b184314aaec752
SHA256

955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16
SHA512

dbefbd18c33f0883e5e79b0a912b73ae9fab7722f70f7372147f6f5cc4591ba8499c8ec73dedf1485852cb8d42ccc3408d8edb886d02f9ec9107124cbaf573d7
SSDEEP

24576:3FZd+yMNnCrk1md4Tz/83KqqfiQPUuP/fiwkjAPbFAqGRHfehxH0Y1dq59lF+h2N:bdKH1muf/2qfUuqwkjcpCfaxH/dufN

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4484-142-0x0000000000400000-0x000000000063E000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe"	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4484	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4044 set thread context of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DefaultCompressedRecord = c880f97f7394c6d150094d9e85ec73a9f86f8edfbd2917783246dcc17ad677db0919e2e90167b5e4e345d7cf471d2b612c3f8b232e394c5a9f6f86e506a3792cd5d1f3b9c6e5f675661d799fbd20efb771d2eafcca677f8a1318410e96d1a6de5386052107c464	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RecordModifiedMax = "DGJ6YA8xEEeFYywxUrj55Jj1n8zCEAoVlJEuyJ5g7RleGb6eUQ/inoltMsH2MOfIIw=="	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FlagsModifiedValid = 0000000000000000	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 4760	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	81
PID 4044 wrote to memory of 4760	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	81
PID 4044 wrote to memory of 4760	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	81
PID 4044 wrote to memory of 3648	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	82
PID 4044 wrote to memory of 3648	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	82
PID 4044 wrote to memory of 3648	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	82
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83
PID 4044 wrote to memory of 4484	4044	955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe	83

C:\Users\Admin\AppData\Local\Temp\955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
"C:\Users\Admin\AppData\Local\Temp\955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
  C:\Users\Admin\AppData\Local\Temp\955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
  2⤵
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
  C:\Users\Admin\AppData\Local\Temp\955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
  2⤵
  PID:3648
- C:\Users\Admin\AppData\Local\Temp\955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
  C:\Users\Admin\AppData\Local\Temp\955396ec6fb8f766dc9017e783083884d68b6978c22aaa595f686b64ea517d16.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  PID:4484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4044-138-0x0000000002320000-0x0000000002324000-memory.dmp

Filesize
16KB

Download
memory/4484-136-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/4484-137-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/4484-139-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/4484-140-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/4484-141-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/4484-142-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads