d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303

Analysis

max time kernel
304s
max time network
363s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe
Size

160KB
MD5

502f5f49a2194ca4ce98fb19db09681f
SHA1

df7daed2ef5ca9056d5848a00ea894fee520bfa6
SHA256

d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303
SHA512

52331002478785e2afb2b9005b8fee2437dbe734177c159354fab2c66579853d45c142fb1937cca660fa953325517d4914f8f1137c0dbf2a9f212977ba4e5705
SSDEEP

3072:4dvjTJ4SvoE6dxh27eYKs32rwahWtlPO:4n4SvcAeQ32rUP

Score

8^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
540	B6232F3ACDA.exe
856	UCU8C10.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1628-133-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1628-134-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1628-138-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/540-141-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/540-148-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	UCU8C10.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4Y3Y0C3A9F7W1ZYVJFAUGQC = "C:\\Recycle.Bin\\B6232F3ACDA.exe /q"	UCU8C10.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	UCU8C10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	UCU8C10.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\PhishingFilter	UCU8C10.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery	UCU8C10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	UCU8C10.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1628	d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe
1628	d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe
1628	d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe
1628	d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe
540	B6232F3ACDA.exe
540	B6232F3ACDA.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe
856	UCU8C10.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe
Token: SeDebugPrivilege	1628	d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe
Token: SeDebugPrivilege	1628	d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe
Token: SeDebugPrivilege	1628	d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe
Token: SeDebugPrivilege	540	B6232F3ACDA.exe
Token: SeDebugPrivilege	540	B6232F3ACDA.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe
Token: SeDebugPrivilege	856	UCU8C10.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 540	1628	d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe	81
PID 1628 wrote to memory of 540	1628	d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe	81
PID 1628 wrote to memory of 540	1628	d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe	81
PID 540 wrote to memory of 856	540	B6232F3ACDA.exe	85
PID 540 wrote to memory of 856	540	B6232F3ACDA.exe	85
PID 540 wrote to memory of 856	540	B6232F3ACDA.exe	85
PID 540 wrote to memory of 856	540	B6232F3ACDA.exe	85
PID 540 wrote to memory of 856	540	B6232F3ACDA.exe	85

C:\Users\Admin\AppData\Local\Temp\d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe
"C:\Users\Admin\AppData\Local\Temp\d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Recycle.Bin\B6232F3ACDA.exe
  "C:\Recycle.Bin\B6232F3ACDA.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\UCU8C10.exe
    "C:\Users\Admin\AppData\Local\Temp\UCU8C10.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycle.Bin\831E9750747855D

Filesize
33KB

MD5
d9de6f4ff685b30967738eb4aac56f26

SHA1
66fb4ec965fc6ab9d1eb00055eca82de685e6131

SHA256
60e0275f375411cd6f8c51c5b5618bdbc140c7a95f0b4bb777ab505bbf92c64e

SHA512
5a7795c67738725abd8b9dc4349a75d6f8c9d8f447dfdaf295bb8acc63dd0e0c1bcbbf80e29704e301cb5f3c031cde80bddff4562c6f9e1b1bdc8aa16f1d599a

Download Submit
C:\Recycle.Bin\B6232F3ACDA.exe

Filesize
160KB

MD5
502f5f49a2194ca4ce98fb19db09681f

SHA1
df7daed2ef5ca9056d5848a00ea894fee520bfa6

SHA256
d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303

SHA512
52331002478785e2afb2b9005b8fee2437dbe734177c159354fab2c66579853d45c142fb1937cca660fa953325517d4914f8f1137c0dbf2a9f212977ba4e5705

Download Submit
C:\Recycle.Bin\B6232F3ACDA.exe

Filesize
160KB

MD5
502f5f49a2194ca4ce98fb19db09681f

SHA1
df7daed2ef5ca9056d5848a00ea894fee520bfa6

SHA256
d560049ccab6333dc7d61c34636370ef39a9107354bdaed0d30f865d0c9af303

SHA512
52331002478785e2afb2b9005b8fee2437dbe734177c159354fab2c66579853d45c142fb1937cca660fa953325517d4914f8f1137c0dbf2a9f212977ba4e5705

Download Submit
C:\Users\Admin\AppData\Local\Temp\UCU8C10.exe

Filesize
3KB

MD5
29090b6b4d6605a97ac760d06436ac2d

SHA1
d929d3389642e52bae5ad8512293c9c4d3e4fab5

SHA256
98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272

SHA512
9121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\UCU8C10.exe

Filesize
3KB

MD5
29090b6b4d6605a97ac760d06436ac2d

SHA1
d929d3389642e52bae5ad8512293c9c4d3e4fab5

SHA256
98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272

SHA512
9121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be

Download Submit
memory/540-142-0x00000000005C0000-0x00000000005CB000-memory.dmp

Filesize
44KB

Download
memory/540-148-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/540-144-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/540-141-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/856-161-0x000000000BB06000-0x000000000BB08000-memory.dmp

Filesize
8KB

Download
memory/856-166-0x000000000BB06000-0x000000000BB08000-memory.dmp

Filesize
8KB

Download
memory/856-188-0x0000000074BE0000-0x0000000075030000-memory.dmp

Filesize
4.3MB

Download
memory/856-187-0x0000000000EE0000-0x0000000000F43000-memory.dmp

Filesize
396KB

Download
memory/856-186-0x0000000076630000-0x0000000076693000-memory.dmp

Filesize
396KB

Download
memory/856-185-0x000000000BB18000-0x000000000BB1A000-memory.dmp

Filesize
8KB

Download
memory/856-184-0x0000000074BE0000-0x0000000075030000-memory.dmp

Filesize
4.3MB

Download
memory/856-151-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-152-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-153-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-154-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-155-0x0000000000500000-0x0000000000505000-memory.dmp

Filesize
20KB

Download
memory/856-156-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-157-0x0000000077250000-0x00000000773F3000-memory.dmp

Filesize
1.6MB

Download
memory/856-158-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/856-159-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/856-160-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/856-183-0x000000000BB05000-0x000000000BB07000-memory.dmp

Filesize
8KB

Download
memory/856-162-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-163-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-164-0x0000000077250000-0x00000000773F3000-memory.dmp

Filesize
1.6MB

Download
memory/856-165-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/856-143-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/856-167-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-168-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-169-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-170-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-171-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-172-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-173-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-174-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-175-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-176-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-177-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-178-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-179-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-180-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/856-181-0x0000000074BE0000-0x0000000075030000-memory.dmp

Filesize
4.3MB

Download
memory/856-182-0x000000000BB04000-0x000000000BB06000-memory.dmp

Filesize
8KB

Download
memory/1628-132-0x0000000000600000-0x000000000060B000-memory.dmp

Filesize
44KB

Download
memory/1628-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1628-134-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1628-138-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1628-139-0x0000000077250000-0x00000000773F3000-memory.dmp

Filesize
1.6MB

Download
memory/1628-140-0x0000000077250000-0x00000000773F3000-memory.dmp

Filesize
1.6MB

Download