d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62

Analysis

max time kernel
136s
max time network
159s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe
Size

1.9MB
MD5

cad1d36322a6ba654b9b88d24331b16f
SHA1

1a7f4e12dceb6b08d1bee1b05c532b9293eeb651
SHA256

d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62
SHA512

c46a3b6293bd180e614394e5c8c3a5d55fd35b8540eaf272ac59ae9b26c1d81bd9a62ad8f7cac148cac7e120089762f78fe8044e9d34a9a0841b7dce9e59deaf
SSDEEP

49152:H3s6naZh8B98XOzkMOr526eZ/V9Fiji6BD2ey6xqf9J3C1Uj8:H38Zh8Q+zNOrteRV9Fiji6BzyiqL3Rj8

Score

8^/10

spyware stealer upx vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

engine.datautoupdate.exe

pid process

1548 engine.dat
2000 autoupdate.exe

pid	process
1548	engine.dat
2000	autoupdate.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\update\engine.dat	upx
\Users\Admin\AppData\Local\Temp\update\engine.dat	upx
C:\Users\Admin\AppData\Local\Temp\update\engine.dat	upx
behavioral1/memory/1548-65-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1548-69-0x0000000000400000-0x000000000040A000-memory.dmp	upx

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1196-55-0x0000000000400000-0x00000000007E8000-memory.dmp	vmprotect
behavioral1/memory/1196-56-0x0000000000400000-0x00000000007E8000-memory.dmp	vmprotect
behavioral1/memory/1196-59-0x0000000000400000-0x00000000007E8000-memory.dmp	vmprotect
behavioral1/memory/1196-64-0x0000000000400000-0x00000000007E8000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\update\autoupdate.exe	vmprotect
\Users\Admin\AppData\Local\Temp\autoupdate.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\autoupdate.exe	vmprotect
behavioral1/memory/2000-72-0x0000000000F60000-0x000000000143F000-memory.dmp	vmprotect
behavioral1/memory/2000-77-0x0000000000F60000-0x000000000143F000-memory.dmp	vmprotect
behavioral1/memory/2000-92-0x0000000000F60000-0x000000000143F000-memory.dmp	vmprotect

Loads dropped DLL 3 IoCs

Processes:

d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exeengine.dat

pid	process
1196	d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe
1196	d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe
1548	engine.dat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

autoupdate.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main autoupdate.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	autoupdate.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://laban.vn/?utm_source=fs&utm_campaign=2911&utm_medium=lc&pr1=514d3030303133&pr2=1"	d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exeautoupdate.exe

pid	process
1196	d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe
1196	d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe
1196	d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe
1196	d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe
2000	autoupdate.exe
2000	autoupdate.exe
2000	autoupdate.exe
2000	autoupdate.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exeengine.dat

description	pid	process	target process
PID 1196 wrote to memory of 1548	1196	d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe	engine.dat
PID 1196 wrote to memory of 1548	1196	d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe	engine.dat
PID 1196 wrote to memory of 1548	1196	d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe	engine.dat
PID 1196 wrote to memory of 1548	1196	d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe	engine.dat
PID 1548 wrote to memory of 2000	1548	engine.dat	autoupdate.exe
PID 1548 wrote to memory of 2000	1548	engine.dat	autoupdate.exe
PID 1548 wrote to memory of 2000	1548	engine.dat	autoupdate.exe
PID 1548 wrote to memory of 2000	1548	engine.dat	autoupdate.exe
PID 1548 wrote to memory of 2000	1548	engine.dat	autoupdate.exe
PID 1548 wrote to memory of 2000	1548	engine.dat	autoupdate.exe
PID 1548 wrote to memory of 2000	1548	engine.dat	autoupdate.exe

C:\Users\Admin\AppData\Local\Temp\d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe
"C:\Users\Admin\AppData\Local\Temp\d1102a27481a8b54baf67887b28edccf520d5b759cd796102e0d200f4d59cd62.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\update\engine.dat
update\engine.dat update\autoupdate.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\autoupdate.exe
autoupdate.exe
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
8ed9684acc665ea67ae5df1151852138

SHA1
2e0a217eb3e22da69a8f1a9947db61d6cf39c55d

SHA256
909d7eb93af7ebcb8bcaec96dbeaaab75370af8bb987d485c32e2f20c52b7552

SHA512
0c6bd94eb4c80b95cc61159dca8b9933e9af16467222aed918e54e4c75586f47faf4724b7083adbfaf579474a7e417e97a23b8729a789a00bba7e62721e72c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\autoupdate.exe
Filesize
2.3MB

MD5
37ba2e8e2a31e9b8d0080899cc6f4ce9

SHA1
441ac8b87e3d7f7b136735436798532c3c4f1284

SHA256
8704c6748ee431214056018fe52ac1af607db90f75284d753937bf795b398946

SHA512
ffea8ff7feb55daded98730cb7fb1335fad89f25ab8db6cef907c87f339a18805770a956be4a92b0afdd3bdbb9b8aa9744513f40e505a51b01144536d67c90b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\autoupdate.fls
Filesize
4KB

MD5
96e15ff3bf23f489ac2b44e19262a359

SHA1
15d69623f95662918e02bd6f06bcb25f8540eee2

SHA256
b6508aa1f30a1aba3427a0a7d7443f582ad03582760852c214908f42492ebbb4

SHA512
2e14a453d05c9da41c85a4e594d5420af568334c469f46f40d7dda05d71d80c5b7755259e1ef739b4eca08b7f0ee8f2c9619943125d5c1cacf15cad3eaa44cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\autoupdate.sls
Filesize
415B

MD5
f0900b9762a326710307dfc926fb00eb

SHA1
707dd5cc4e6d80ffb11ebcb6d206e68ef846bccb

SHA256
07c3f1251b20263ea17a8f601def029d9fcc92f7fd1e76b087c88c64cf7606be

SHA512
a6789dc47f8739098b44b01ca1ed511e77681f0230b9119b0d6a542a442f6dcd4534153175283344c01564faaf46121531a99ac50e09e0dcd7ed1b730e6e8297

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbhp.cnf
Filesize
34B

MD5
969e2df65f8eec55387ac86f8a388ab0

SHA1
63981b382a1237bb232c5406e8c93f89547b8062

SHA256
7fe888af4c69376f0cc5cbcf0cc97a16b162b311a9761f8100e3d9467c59deef

SHA512
c50ad7cd7d8235571338d5eb68f720e2e5208cee60c65f7a38975147c71a2586b7cd6d7fa694e1d11f27bf71c7a8979b4daaa44cf1d880cb6b8543a9c487b955

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\update202211.txt
Filesize
4KB

MD5
d8c26ec9c5c51ac79dde9ec3f39ad834

SHA1
c3490b666247e484c2b2cd6b7f496f46fe16c198

SHA256
d8f820fa588e2ada63c488915e09958be1fa768c992a30dab39c3bba8ae865f1

SHA512
799026f704d092dfc758903db2d7f5e87c4f1531b09fb8ffab18080ea6748482b10793e51cbf8470eaada8f1b26daea732277a16f64c9b17c717e6848a478330

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\autoupdate.exe
Filesize
2.3MB

MD5
37ba2e8e2a31e9b8d0080899cc6f4ce9

SHA1
441ac8b87e3d7f7b136735436798532c3c4f1284

SHA256
8704c6748ee431214056018fe52ac1af607db90f75284d753937bf795b398946

SHA512
ffea8ff7feb55daded98730cb7fb1335fad89f25ab8db6cef907c87f339a18805770a956be4a92b0afdd3bdbb9b8aa9744513f40e505a51b01144536d67c90b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\detectfile.enc
Filesize
64B

MD5
54fde500ca96b6603a44ec61e8656709

SHA1
b728022b13b189b05f836643252e824de9b1cae6

SHA256
b2a3e93875451a97237828dd87086b8d857e8a53cf06f75d7b3044da394aee93

SHA512
32f6971cdbb24cbceab3b868651d62696cad955fe35620fdcf31687326f2a1d2e3d1eaaea8a74f4e4e4157e5b6f38e9df4ed9cd8869f6ee398952468310c6da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\engine.dat
Filesize
15KB

MD5
e2ec92471d1c2a338c42913c2c1d909e

SHA1
6afdd39412251379ecf93c1c70e857a4b587cd0f

SHA256
ed15bd103a2d66f434e6fc1722a9d09f4e562757b38ec3a973f8f226c8cd1465

SHA512
078c4ba7d3da635ff926f0f8b1dac46fb606e46148a36e96e33f80bc00f3ce4fc04edcf0a112555844d13a48e76ed2e6b19145104c7621de2b9dc48930e5daa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\filelist.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\rootfolder.ini
Filesize
1KB

MD5
470727b4f32fc6959d434c37ee060a76

SHA1
476e996ead1fb251af6e3fa8ce9090c0fa38a6c9

SHA256
01bfc6f3bbaa788ef1e1fd35773045cfd1560608326316fe269fcaa44b6845c4

SHA512
58e5e72fa8d37cd798d01d2e5c34b42fa74c2b2677fe761021e34167113958e81fdc43b7c499631947a131b4812b8075b35905a08ab3577cc2e86549eeed0eb9

Download Submit
\Users\Admin\AppData\Local\Temp\autoupdate.exe
Filesize
2.3MB

MD5
37ba2e8e2a31e9b8d0080899cc6f4ce9

SHA1
441ac8b87e3d7f7b136735436798532c3c4f1284

SHA256
8704c6748ee431214056018fe52ac1af607db90f75284d753937bf795b398946

SHA512
ffea8ff7feb55daded98730cb7fb1335fad89f25ab8db6cef907c87f339a18805770a956be4a92b0afdd3bdbb9b8aa9744513f40e505a51b01144536d67c90b5

Download Submit
\Users\Admin\AppData\Local\Temp\update\engine.dat
Filesize
15KB

MD5
e2ec92471d1c2a338c42913c2c1d909e

SHA1
6afdd39412251379ecf93c1c70e857a4b587cd0f

SHA256
ed15bd103a2d66f434e6fc1722a9d09f4e562757b38ec3a973f8f226c8cd1465

SHA512
078c4ba7d3da635ff926f0f8b1dac46fb606e46148a36e96e33f80bc00f3ce4fc04edcf0a112555844d13a48e76ed2e6b19145104c7621de2b9dc48930e5daa5

Download Submit
\Users\Admin\AppData\Local\Temp\update\engine.dat
Filesize
15KB

MD5
e2ec92471d1c2a338c42913c2c1d909e

SHA1
6afdd39412251379ecf93c1c70e857a4b587cd0f

SHA256
ed15bd103a2d66f434e6fc1722a9d09f4e562757b38ec3a973f8f226c8cd1465

SHA512
078c4ba7d3da635ff926f0f8b1dac46fb606e46148a36e96e33f80bc00f3ce4fc04edcf0a112555844d13a48e76ed2e6b19145104c7621de2b9dc48930e5daa5

Download Submit
memory/1196-64-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/1196-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1196-59-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/1196-56-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/1196-55-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/1548-69-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1548-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1548-62-0x0000000000000000-mapping.dmp

Download
memory/2000-68-0x0000000000000000-mapping.dmp

Download
memory/2000-72-0x0000000000F60000-0x000000000143F000-memory.dmp

Filesize
4.9MB

Download
memory/2000-77-0x0000000000F60000-0x000000000143F000-memory.dmp

Filesize
4.9MB

Download
memory/2000-92-0x0000000000F60000-0x000000000143F000-memory.dmp

Filesize
4.9MB

Download