4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4

General

Target

4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe
Size

10.0MB
MD5

d3471e1abea87cb9ab4aea1a89f9b2e9
SHA1

67d6dac244049ed8de892d4235976df04c4423ba
SHA256

4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4
SHA512

9d59f49cd51b7f23641ca5c43ed413617b60e19308195af38cef49d30f0b4d4eb0118de600210968c561e1bda0310b33a397b953e9bf6e0d0112a9bc8366c779
SSDEEP

196608:dSbvo4WSRKekmQ/8bOg63iJ1Y87GjQUyMqywWK4R1j5X6:dSUokmQ/8bORSJ1YRVLpwWKiB5

Score

8^/10

spyware stealer vmprotect

Malware Config

Signatures

VMProtect packed file 12 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1780-56-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect
behavioral1/memory/1780-55-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect
behavioral1/memory/1780-61-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect
behavioral1/memory/1292-63-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect
behavioral1/memory/1292-66-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect
behavioral1/memory/1452-69-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect
behavioral1/memory/1452-72-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect
behavioral1/memory/1452-73-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect
behavioral1/memory/1452-74-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect
behavioral1/memory/1540-77-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect
behavioral1/memory/1540-80-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect
behavioral1/memory/1540-81-0x0000000000E90000-0x0000000002106000-memory.dmp	vmprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1780-56-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe
behavioral1/memory/1780-55-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe
behavioral1/memory/1780-61-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe
behavioral1/memory/1292-63-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe
behavioral1/memory/1292-66-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe
behavioral1/memory/1452-69-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe
behavioral1/memory/1452-72-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe
behavioral1/memory/1452-73-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe
behavioral1/memory/1452-74-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe
behavioral1/memory/1540-77-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe
behavioral1/memory/1540-80-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe
behavioral1/memory/1540-81-0x0000000000E90000-0x0000000002106000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

OneCoreUAPCommonProxyStub.exeOneCoreUAPCommonProxyStub.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	OneCoreUAPCommonProxyStub.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	OneCoreUAPCommonProxyStub.exe

NTFS ADS 2 IoCs

Processes:

4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exeOneCoreUAPCommonProxyStub.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\winmgmts:\localhost\	OneCoreUAPCommonProxyStub.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exeOneCoreUAPCommonProxyStub.exeOneCoreUAPCommonProxyStub.exeOneCoreUAPCommonProxyStub.exe

pid	process
1780	4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe
1780	4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe
1292	OneCoreUAPCommonProxyStub.exe
1292	OneCoreUAPCommonProxyStub.exe
1452	OneCoreUAPCommonProxyStub.exe
1452	OneCoreUAPCommonProxyStub.exe
1540	OneCoreUAPCommonProxyStub.exe
1540	OneCoreUAPCommonProxyStub.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe

pid process

1780 4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exetaskeng.exe

description	pid	process	target process
PID 1780 wrote to memory of 1292	1780	4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe	OneCoreUAPCommonProxyStub.exe
PID 1780 wrote to memory of 1292	1780	4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe	OneCoreUAPCommonProxyStub.exe
PID 1780 wrote to memory of 1292	1780	4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe	OneCoreUAPCommonProxyStub.exe
PID 1780 wrote to memory of 1292	1780	4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe	OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1452	924	taskeng.exe	OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1452	924	taskeng.exe	OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1452	924	taskeng.exe	OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1452	924	taskeng.exe	OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1540	924	taskeng.exe	OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1540	924	taskeng.exe	OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1540	924	taskeng.exe	OneCoreUAPCommonProxyStub.exe
PID 924 wrote to memory of 1540	924	taskeng.exe	OneCoreUAPCommonProxyStub.exe

C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe
"C:\Users\Admin\AppData\Local\Temp\4e63690399558ffb13767bab2f6b694376dcb1677f1fac55e64f871b493b2df4.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
  C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1292

C:\Windows\system32\taskeng.exe
taskeng.exe {7550BDC3-93C5-4EEF-8A3C-AFC370448836} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
  C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1452
- C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
  C:\Users\Admin\AppData\Roaming\amd64_netfx-aspnet\OneCoreUAPCommonProxyStub.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1292-59-0x0000000000000000-mapping.dmp

Download
memory/1292-63-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1292-66-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1452-69-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1452-74-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1452-73-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1452-72-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1452-67-0x0000000000000000-mapping.dmp

Download
memory/1540-75-0x0000000000000000-mapping.dmp

Download
memory/1540-77-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1540-80-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1540-81-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1780-61-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1780-55-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1780-56-0x0000000000E90000-0x0000000002106000-memory.dmp

Filesize
18.5MB

Download
memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads