57ffd73949347468a537ed5786060f56119b4630b700cc245b3d372ecae42288

General

Target

141e76ca31d375daa858c70cc8626289.exe
Size

178KB
MD5

141e76ca31d375daa858c70cc8626289
SHA1

0eb76d0cc2f4f61d285f7450f7708e40a0c10a7f
SHA256

57ffd73949347468a537ed5786060f56119b4630b700cc245b3d372ecae42288
SHA512

9f97a470c00b2f360f86a15cfbac3e6a5f64f229cf03c7d0d274196b001e077493bbed333b3d61966cd87f930240ddabc8af7d75e902d09d44ea480efbcb745d
SSDEEP

3072:V0gsRCyVnADxyozYKtyNqrXR+vJjclB0GxPpOGgyk6Rj3a3iA64wwiBdfceyYU:YNnA1zHroBjREMGgykC7ayA6bwiffce0

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe"	141e76ca31d375daa858c70cc8626289.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2672-1-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1256-8-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/5092-115-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2672-113-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2672-188-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2672-189-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1256	2672	141e76ca31d375daa858c70cc8626289.exe	24
PID 2672 wrote to memory of 1256	2672	141e76ca31d375daa858c70cc8626289.exe	24
PID 2672 wrote to memory of 1256	2672	141e76ca31d375daa858c70cc8626289.exe	24
PID 2672 wrote to memory of 5092	2672	141e76ca31d375daa858c70cc8626289.exe	94
PID 2672 wrote to memory of 5092	2672	141e76ca31d375daa858c70cc8626289.exe	94
PID 2672 wrote to memory of 5092	2672	141e76ca31d375daa858c70cc8626289.exe	94

C:\Users\Admin\AppData\Local\Temp\141e76ca31d375daa858c70cc8626289.exe
"C:\Users\Admin\AppData\Local\Temp\141e76ca31d375daa858c70cc8626289.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\141e76ca31d375daa858c70cc8626289.exe
  C:\Users\Admin\AppData\Local\Temp\141e76ca31d375daa858c70cc8626289.exe startC:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\141e76ca31d375daa858c70cc8626289.exe
  C:\Users\Admin\AppData\Local\Temp\141e76ca31d375daa858c70cc8626289.exe startC:\Windows\system32\lvvm.exe%C:\Windows\system32
  2⤵
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E3CB.347

Filesize
996B

MD5
c8c012e0dba669c550ee814e91e9b4fd

SHA1
b6ab181c5d542be53b2360c69efcad901768c1ec

SHA256
61e98793ab55b4f3f175fa35480b3edd7850fdf1f6fb70852dfa22acedd695e5

SHA512
ec0be246fa6a0545f3b2651d252ad927bc8a8e1d1be19c57de370e6e30daba98323591f0a51091b216d4224fbdf7196725f95822d16b8658b2c81d948dd2dd65

Download Submit
C:\Users\Admin\AppData\Roaming\E3CB.347

Filesize
600B

MD5
2215d24d65d5531d3ffce04e354cfeb7

SHA1
14617b9300793f70254140d9fcf6cb518c447947

SHA256
0e55d802e9373c063ce1d94f3ff9de29b22a2f1c2257179a6d1f409e6ff1189d

SHA512
6d846602822a87feb88fbf82748e373bdfe14a6853177f1d3f554f15dc7ce6a68a2a5b99a53754cf79974c2d0eea5655fadeaaa9d91566e0079ce226c75e6aaf

Download Submit
C:\Users\Admin\AppData\Roaming\E3CB.347

Filesize
1KB

MD5
5344c903925108728c107c558dde0245

SHA1
ce77d2a3970bd937148c80cf04df296f6ec676b7

SHA256
c2104bb185e26b41cc985e30ee6d7d5164eb83ed56a0c2c1e1a7932928b02557

SHA512
f52a9f709e83662a64fa279af22f3b86f953b9862373a9a99b925f89b25a5f18adc56dd95e9353f6c384984341b942dc886c493f4a09976da8dad18abf063369

Download Submit
memory/1256-10-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/1256-8-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-183-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/2672-2-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2672-113-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2672-118-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2672-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2672-188-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2672-189-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5092-116-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/5092-115-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5092-185-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads