b564f60fe6aa3c42836ce4bcad1c111532fa9381552af1cf07432a35325536e5

General

Target

xzxz/New folder.exe
Size

400KB
MD5

2a662da5551627fc500439ac2806b660
SHA1

febd073754fe6cb3558466110cae766019ace186
SHA256

793b89f8dd4ae0d68f438d990a043d517d1149a89460001ed5dabddb754988e1
SHA512

43109c63c0707904b0cd7ce841269f3813e5a7dd2fdda3ddaae04f3006d89ef83aa9463e4851bf5db8c1b7d8a4fbe41f669be98e673bc0360b17dbc1bdefade2
SSDEEP

6144:qLafsiuvAQ+tTm6cyERSiytj71cWE4jKS6vRBV+UdvrEFp7hK7+:q4CvAQ+q6ctRt636WfjOJBjvrEH7W+

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000500000001a511-120.dat	acprotect
behavioral2/files/0x000500000001a511-126.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2152	msn.exe

Loads dropped DLL 1 IoCs

pid	Process
4108	New folder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000500000001a511-120.dat	upx
behavioral2/memory/4108-125-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x000500000001a511-126.dat	upx
behavioral2/memory/4108-133-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4108-144-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\apo5 = "C:\\Program Files (x86)\\win\\msn.exe"	New folder.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	msn.exe
File opened (read-only)	\??\h:	msn.exe
File opened (read-only)	\??\n:	msn.exe
File opened (read-only)	\??\q:	msn.exe
File opened (read-only)	\??\u:	msn.exe
File opened (read-only)	\??\y:	msn.exe
File opened (read-only)	\??\e:	msn.exe
File opened (read-only)	\??\j:	msn.exe
File opened (read-only)	\??\m:	msn.exe
File opened (read-only)	\??\p:	msn.exe
File opened (read-only)	\??\v:	msn.exe
File opened (read-only)	\??\b:	msn.exe
File opened (read-only)	\??\k:	msn.exe
File opened (read-only)	\??\o:	msn.exe
File opened (read-only)	\??\s:	msn.exe
File opened (read-only)	\??\w:	msn.exe
File opened (read-only)	\??\x:	msn.exe
File opened (read-only)	\??\z:	msn.exe
File opened (read-only)	\??\g:	msn.exe
File opened (read-only)	\??\a:	msn.exe
File opened (read-only)	\??\i:	msn.exe
File opened (read-only)	\??\l:	msn.exe
File opened (read-only)	\??\r:	msn.exe
File opened (read-only)	\??\t:	msn.exe
File opened (read-only)	\??\e:	New folder.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\win	New folder.exe
File created	C:\Program Files (x86)\win\msn.exe	New folder.exe
File opened for modification	C:\Program Files (x86)\win\msn.exe	New folder.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	New folder.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	New folder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4108	New folder.exe
4108	New folder.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4108	New folder.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 2152	4108	New folder.exe	66
PID 4108 wrote to memory of 2152	4108	New folder.exe	66
PID 4108 wrote to memory of 2152	4108	New folder.exe	66

C:\Users\Admin\AppData\Local\Temp\xzxz\New folder.exe
"C:\Users\Admin\AppData\Local\Temp\xzxz\New folder.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Program Files (x86)\win\msn.exe
  "C:\Program Files (x86)\win\msn.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\win\msn.exe

Filesize
324KB

MD5
f7c5929dadf81deec13f03acaea94f99

SHA1
bbbc120de8e9b479ecf0bbc653611af13a04b5aa

SHA256
eae8acf329ccfdadf550c7a87b34e2004843e0ef647e4c14b3674ba653793255

SHA512
fc8aee52deb4406a22989bde442432e693affad097ab960c600ac3a9fee6d23573cfd70b22003b6dbc3c0cbb315cf1cf7ea69ac9c0a6085c3529f6e368d4063d

Download Submit
C:\Program Files (x86)\win\msn.exe

Filesize
324KB

MD5
f7c5929dadf81deec13f03acaea94f99

SHA1
bbbc120de8e9b479ecf0bbc653611af13a04b5aa

SHA256
eae8acf329ccfdadf550c7a87b34e2004843e0ef647e4c14b3674ba653793255

SHA512
fc8aee52deb4406a22989bde442432e693affad097ab960c600ac3a9fee6d23573cfd70b22003b6dbc3c0cbb315cf1cf7ea69ac9c0a6085c3529f6e368d4063d

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\7F271010100C.tmp

Filesize
324KB

MD5
f7c5929dadf81deec13f03acaea94f99

SHA1
bbbc120de8e9b479ecf0bbc653611af13a04b5aa

SHA256
eae8acf329ccfdadf550c7a87b34e2004843e0ef647e4c14b3674ba653793255

SHA512
fc8aee52deb4406a22989bde442432e693affad097ab960c600ac3a9fee6d23573cfd70b22003b6dbc3c0cbb315cf1cf7ea69ac9c0a6085c3529f6e368d4063d

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/2152-145-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2152-147-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4108-124-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4108-125-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4108-133-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4108-142-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4108-144-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing