6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562

General

Target

6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
Size

3.8MB
MD5

9b7ba61a8161f042f18e4f0ab561093f
SHA1

6664f1697e78e75db5f26840ce2eb1667ce14b70
SHA256

6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562
SHA512

753f2d4dbc36aa246a33cc90e49e85030308c866cd145ce76824bd463e0606d11902c1ba42d5b13b3d77b7ffee489675157d1c799663cb2dd2a58dbef64c096c
SSDEEP

98304:Di8f4s4itYO1d9iAa37INDDhlElcVF/t5X:DiPDiR1uVIkSPX

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4380	leuxltwwasseyoqusvuvlwhjwpaexxn-elevate.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-0-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-6-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/files/0x0006000000022d80-7.dat	upx
behavioral1/files/0x0006000000022d80-10.dat	upx
behavioral1/memory/4380-16-0x00007FF6396C0000-0x00007FF63AF5C000-memory.dmp	upx
behavioral1/memory/4380-15-0x00007FF6396C0000-0x00007FF63AF5C000-memory.dmp	upx
behavioral1/memory/4384-19-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/4384-29-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-32-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-33-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-34-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-35-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-36-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-37-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-38-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-39-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-40-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-41-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-42-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-43-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-44-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-45-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-46-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-47-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-48-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-49-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-50-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-51-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-52-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-53-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-54-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-55-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-56-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-57-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-58-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/1700-59-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx
behavioral1/memory/2432-60-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe = "11001"	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe = "11001"	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4384	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
4384	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1700	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2432	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
2432	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
2432	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
2432	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
2432	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2432	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
2432	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
2432	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
2432	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
2432	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2432	1700	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe	84
PID 1700 wrote to memory of 2432	1700	6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe	84

C:\Users\Admin\AppData\Local\Temp\6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
"C:\Users\Admin\AppData\Local\Temp\6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
  "C:\Users\Admin\AppData\Local\Temp\6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe" -gpipe \\.\pipe\PCommand97Getscreen.me -gui
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe
  "C:\Users\Admin\AppData\Local\Temp\6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562.exe" -cpipe \\.\pipe\PCommand96Getscreen.me -child
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384

C:\ProgramData\Getscreen.me\leuxltwwasseyoqusvuvlwhjwpaexxn-elevate.exe
"C:\ProgramData\Getscreen.me\leuxltwwasseyoqusvuvlwhjwpaexxn-elevate.exe" -elevate \\.\pipe\elevateGS512leuxltwwasseyoqusvuvlwhjwpaexxn
1⤵
- Executes dropped EXE
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Getscreen.me\leuxltwwasseyoqusvuvlwhjwpaexxn-elevate.exe

Filesize
3.8MB

MD5
9b7ba61a8161f042f18e4f0ab561093f

SHA1
6664f1697e78e75db5f26840ce2eb1667ce14b70

SHA256
6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562

SHA512
753f2d4dbc36aa246a33cc90e49e85030308c866cd145ce76824bd463e0606d11902c1ba42d5b13b3d77b7ffee489675157d1c799663cb2dd2a58dbef64c096c

Download Submit
C:\ProgramData\Getscreen.me\leuxltwwasseyoqusvuvlwhjwpaexxn-elevate.exe

Filesize
3.8MB

MD5
9b7ba61a8161f042f18e4f0ab561093f

SHA1
6664f1697e78e75db5f26840ce2eb1667ce14b70

SHA256
6bb104271472d489b6901261d2d573f6b34c9539d93cb9777e486f8d41e3e562

SHA512
753f2d4dbc36aa246a33cc90e49e85030308c866cd145ce76824bd463e0606d11902c1ba42d5b13b3d77b7ffee489675157d1c799663cb2dd2a58dbef64c096c

Download Submit
C:\ProgramData\Getscreen.me\logs\20231122.log

Filesize
673B

MD5
a773e4bcdfedeb22c29a55f6fd26b24c

SHA1
1fc69d0c4cbf2c7ae9ba04970a53e13a58e75a27

SHA256
c9edbb4a31e311505577d2cc255414d8c762524e3184221165e0518e00241245

SHA512
793e64c7ae2e526d792e2a4df1005da7b374e0a23287a6f395d06b384c672e0cfb4676f757e3f80461f681d79741a8f4252a1d6328c3e8d36ab19311f3096a0b

Download Submit
C:\ProgramData\Getscreen.me\logs\20231122.log

Filesize
2KB

MD5
24c210637f511aa6343da7de23d2d71e

SHA1
c8b776e4513e9e6cec50f3c886def0c177f29d12

SHA256
d0795cc73a2bc90f4725be9b4da686d32be3667d383422bdd5337a37a9c631d0

SHA512
3230776c2adb8aa4bd4f6bad476264561eadb7fe90da94bde2964d58cca109a2d2b79269689aca843408fae09bb1185e21e68046c6f28b0d577d58a94f0adb55

Download Submit
C:\ProgramData\Getscreen.me\logs\20231122.log

Filesize
261B

MD5
b6593682325ad2315228ecbcadb813f5

SHA1
570ef124e452d720282c79105110d67fd1f14514

SHA256
71923c666a4ef4f2aa4eefee89f314d8707155adcc76eada34f16d115f4e95c5

SHA512
291679a2aa388e6422759809082cb13e7307e5344cbcdfdbfe1aaf96656f871676fef0b7ab03dafc22b93d114a40f3bf0f49ac54f368a99d165d8b42259e63af

Download Submit
C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96Getscreen0me

Filesize
16.0MB

MD5
4b1b4e345cc5f2c368f3ac861ef9cf78

SHA1
59a6c0a73cb6e95ab5ff8575cb5777ee7945dd0c

SHA256
ae8286341fde8f581c76ee67718d602efcc5d94de663d2054f9dca1a6195e987

SHA512
2dd27dc84c14f7d88bee7494900a68149d6d7de1db768d92e6fc69263646f0e7a22dddb36aadb35d4176fa284b16d293356a0403e87b758e13b859a6368edc0d

Download Submit
memory/1700-53-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-0-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-57-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-59-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-41-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-51-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-32-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-55-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-34-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-49-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-47-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-37-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-45-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-39-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/1700-43-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-50-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-33-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-40-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-44-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-38-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-46-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-36-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-48-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-35-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-42-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-60-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-52-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-6-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-54-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-58-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/2432-56-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/4380-16-0x00007FF6396C0000-0x00007FF63AF5C000-memory.dmp

Filesize
24.6MB

Download
memory/4380-15-0x00007FF6396C0000-0x00007FF63AF5C000-memory.dmp

Filesize
24.6MB

Download
memory/4384-19-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download
memory/4384-29-0x00007FF6D1A20000-0x00007FF6D32BC000-memory.dmp

Filesize
24.6MB

Download

Analysis

Sharing