017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5

General

Target

017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
Size

3.2MB
MD5

de05b086e58900dbba82bb3e7ea33d48
SHA1

c30888e59588016b2b52d10754f484ebc58208e4
SHA256

017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5
SHA512

eca6258d34e6452c159a98e37a62d61294daffad6de8844823165effb4ccb01e0e9d4a9f3e5f96a30e14f34939aa834882a7d6eb4ead25821fa56b62ab1e80ab
SSDEEP

49152:Ep/LKtx/0q5FQHVJaMEOAFItRd297EzuSgRgc01XLX9KiaZUjMehUbc:EpzKf/BkTaRFkJy3aBFDR4V4

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3768	zceuxiijtdbnmaapjkyfidysoufgpdb-elevate.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3628-2-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-6-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/files/0x000600000001ab8c-7.dat	upx
behavioral1/files/0x000600000001ab8c-12.dat	upx
behavioral1/memory/3768-16-0x00007FF654850000-0x00007FF655F20000-memory.dmp	upx
behavioral1/memory/3768-15-0x00007FF654850000-0x00007FF655F20000-memory.dmp	upx
behavioral1/memory/1676-19-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/1676-30-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-31-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-32-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-34-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-35-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-36-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-37-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-38-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-39-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-40-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-41-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-42-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-43-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-44-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-45-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-46-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-47-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-48-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-49-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-50-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-51-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-52-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-53-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-54-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-55-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-56-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-57-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-58-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-59-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3628-60-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx
behavioral1/memory/3844-61-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe = "11001"	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe = "11001"	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1676	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
1676	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3628	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3844	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
3844	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
3844	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
3844	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
3844	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3844	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
3844	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
3844	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
3844	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
3844	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 3844	3628	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe	70
PID 3628 wrote to memory of 3844	3628	017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe	70

C:\Users\Admin\AppData\Local\Temp\017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
"C:\Users\Admin\AppData\Local\Temp\017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
  "C:\Users\Admin\AppData\Local\Temp\017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe" -gpipe \\.\pipe\PCommand97Getscreen.me -gui
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3844
- C:\Users\Admin\AppData\Local\Temp\017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe
  "C:\Users\Admin\AppData\Local\Temp\017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5.exe" -cpipe \\.\pipe\PCommand96Getscreen.me -child
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1676

C:\ProgramData\Getscreen.me\zceuxiijtdbnmaapjkyfidysoufgpdb-elevate.exe
"C:\ProgramData\Getscreen.me\zceuxiijtdbnmaapjkyfidysoufgpdb-elevate.exe" -elevate \\.\pipe\elevateGS512zceuxiijtdbnmaapjkyfidysoufgpdb
1⤵
- Executes dropped EXE
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Getscreen.me\logs\20231107.log

Filesize
673B

MD5
fd8251ba7d4346486277d5804b6247e7

SHA1
6aa1694d08e5d61faf7c8d0eff20317fc6ab5f7e

SHA256
cf3ea5b1a770c6e1d49923b1c07509184bd7aa6f7307881f6cf910390da6a9cc

SHA512
47489c8086e566312bc359044323b3f48b457cd09608c1a907e413267589a796dd7af831ac6064eeb75af51770d0779fa099eb0a62e0daa1f029f9f50bc18a05

Download Submit
C:\ProgramData\Getscreen.me\logs\20231107.log

Filesize
2KB

MD5
eaaf32cfe15c9edf75040713b21cd074

SHA1
57bdc913ed472be061d980da0d86c783ef332c67

SHA256
ee0d4c3f0086086aca901899cc294de4598104c95e9a7dc87cc9894306d648f1

SHA512
9038611623007d086de6cd8be025f176739ab6f739e2ce8ae994d8aad51f0c849ead248de036af41c9c2fe3cd55f1ccca8dda32d1320a3e2132a505593e5b0ef

Download Submit
C:\ProgramData\Getscreen.me\logs\20231107.log

Filesize
261B

MD5
7ed45ee9df05fe6a4462e5bc5495024c

SHA1
e09f868b12d82fcc9577dc1908897d5681001934

SHA256
40064c84b42e90a71c64cc24b8b997f5ea6753b04650a3d9eb04b0bfec889e1b

SHA512
d02952966c618edb0ecb098cb563872c9acf99e63a1b1b3d921ef11a2d6a325d04d513804285a9fb0a5d71132821a39926cc2dfa660b8cc0eaed591acf6f6299

Download Submit
C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96Getscreen0me

Filesize
16.0MB

MD5
4b1b4e345cc5f2c368f3ac861ef9cf78

SHA1
59a6c0a73cb6e95ab5ff8575cb5777ee7945dd0c

SHA256
ae8286341fde8f581c76ee67718d602efcc5d94de663d2054f9dca1a6195e987

SHA512
2dd27dc84c14f7d88bee7494900a68149d6d7de1db768d92e6fc69263646f0e7a22dddb36aadb35d4176fa284b16d293356a0403e87b758e13b859a6368edc0d

Download Submit
C:\ProgramData\Getscreen.me\zceuxiijtdbnmaapjkyfidysoufgpdb-elevate.exe

Filesize
3.2MB

MD5
de05b086e58900dbba82bb3e7ea33d48

SHA1
c30888e59588016b2b52d10754f484ebc58208e4

SHA256
017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5

SHA512
eca6258d34e6452c159a98e37a62d61294daffad6de8844823165effb4ccb01e0e9d4a9f3e5f96a30e14f34939aa834882a7d6eb4ead25821fa56b62ab1e80ab

Download Submit
C:\ProgramData\Getscreen.me\zceuxiijtdbnmaapjkyfidysoufgpdb-elevate.exe

Filesize
3.2MB

MD5
de05b086e58900dbba82bb3e7ea33d48

SHA1
c30888e59588016b2b52d10754f484ebc58208e4

SHA256
017d07923c535e1ab56b0a7e42da0fb396b61bc74dfbcb51a51b504ff34ae3e5

SHA512
eca6258d34e6452c159a98e37a62d61294daffad6de8844823165effb4ccb01e0e9d4a9f3e5f96a30e14f34939aa834882a7d6eb4ead25821fa56b62ab1e80ab

Download Submit
memory/1676-30-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/1676-19-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-40-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-54-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-44-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-60-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-31-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-58-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-34-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-56-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-36-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-46-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-38-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-52-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-2-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-50-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-42-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3628-48-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3768-16-0x00007FF654850000-0x00007FF655F20000-memory.dmp

Filesize
22.8MB

Download
memory/3768-15-0x00007FF654850000-0x00007FF655F20000-memory.dmp

Filesize
22.8MB

Download
memory/3844-45-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-47-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-43-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-49-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-41-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-51-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-39-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-53-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-37-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-55-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-35-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-57-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-32-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-59-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-6-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download
memory/3844-61-0x00007FF6F1960000-0x00007FF6F3030000-memory.dmp

Filesize
22.8MB

Download

Analysis

Sharing