d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae

Analysis

max time kernel
158s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae.exe
Size

948KB
MD5

80ec22227be4084f8a1602a7b03c6953
SHA1

7d59089b380147ca135543f7d9bd3fa2e27132fd
SHA256

d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae
SHA512

0728f71009afe6bef5486a72ad41b0040d32c4c9e5091baab3ce5fb1abd2a472ec395bf0204a64d5ff484270b9387fe916fc50008c9fddb17ca75974e4816634
SSDEEP

24576:L1GxKpjKISzqvSkmKiC1BdGBbm/YPRMTMLSeI9:yiKHumKZ1aCgOgLLu

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4088-132-0x0000000000400000-0x000000000065E000-memory.dmp	upx
behavioral2/memory/4088-134-0x0000000000400000-0x000000000065E000-memory.dmp	upx
behavioral2/memory/4088-135-0x0000000000400000-0x000000000065E000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae.exe"	d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DefaultCompressedRecord = e980f97f7335bd5e2cf2c84de209bf5ad76c812ea5f510cfb0be7344b16bcf9010e4aaf63b297d555920afb568d373a449f2addd508019b89a695ef4fd93cf68459b0c842a1b5dd687a3ec69ea848301dc73446207677f125dd1a39159e7066c3f7d65f89261d5	d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RecordModifiedMax = "DORpz3uxh6yafFkei1/hF0V3ESkfW9buc8bftju2cqxPZG5+fB922FT7yfk4D2kz/Q=="	d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FlagsModifiedValid = 0000000000000000	d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main	d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae.exe

C:\Users\Admin\AppData\Local\Temp\d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae.exe
"C:\Users\Admin\AppData\Local\Temp\d4c27a80307c22cbd4f78c612c74b02f63a52133913dae68bc79abe5486765ae.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
PID:4088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4088-132-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4088-134-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4088-135-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads