58972b9fb856a756ce1e738c42bc15e17df4aa378c4e05aea6f2253d0c3038bc

General

Target

034c765777a259d37ce8b1d99d05f591.exe
Size

176KB
MD5

034c765777a259d37ce8b1d99d05f591
SHA1

552ae3967e50390f06223ceb6f40c06ca45cc9b4
SHA256

58972b9fb856a756ce1e738c42bc15e17df4aa378c4e05aea6f2253d0c3038bc
SHA512

46ee2b3ac6d9d6749bca0a61ce5bdb39d4cea18bc0f5e8ae87a0bd0f903cab8846b8e729523030cf5eca9b57787c4c6082017e3a10b6bef55c40fdb07f22723c
SSDEEP

3072:xWVQsT+LfbtELxHiDRTlTb1W2suH/ufpwEbpCaY6rXAyd4y8JoZSpLcC4jErjO:nsTObtELxH8n13/HGfrp7Y67Ayd4y8Jk

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\1F220\\0ECF5.exe"	034c765777a259d37ce8b1d99d05f591.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1548-1-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1548-4-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1548-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1548-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2700-18-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1548-116-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/652-118-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2700-224-0x0000000001DB0000-0x0000000001EB0000-memory.dmp	upx
behavioral1/memory/652-226-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1548-229-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2700	1548	034c765777a259d37ce8b1d99d05f591.exe	29
PID 1548 wrote to memory of 2700	1548	034c765777a259d37ce8b1d99d05f591.exe	29
PID 1548 wrote to memory of 2700	1548	034c765777a259d37ce8b1d99d05f591.exe	29
PID 1548 wrote to memory of 2700	1548	034c765777a259d37ce8b1d99d05f591.exe	29
PID 1548 wrote to memory of 652	1548	034c765777a259d37ce8b1d99d05f591.exe	32
PID 1548 wrote to memory of 652	1548	034c765777a259d37ce8b1d99d05f591.exe	32
PID 1548 wrote to memory of 652	1548	034c765777a259d37ce8b1d99d05f591.exe	32
PID 1548 wrote to memory of 652	1548	034c765777a259d37ce8b1d99d05f591.exe	32

C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe
"C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe
  C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe startC:\Program Files (x86)\LP\F511\D1C.exe%C:\Program Files (x86)\LP\F511
  2⤵
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe
  C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe startC:\Program Files (x86)\20B2F\lvvm.exe%C:\Program Files (x86)\20B2F
  2⤵
  PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1F220\0B2F.F22

Filesize
996B

MD5
feb9e100b465c02e6f1f1518a54a2e38

SHA1
ab50af8eb25cf0824fc51b3a1d305543b18a678c

SHA256
15a3fb5c24d3dbf559073e236418809ecab4b10f0eee992ddb40fb7a7d961279

SHA512
b2bef93d74ceedc0728974ae903815b31edafe64b3d8e43411a3dcfcf8036a0e3ac65c813642000c049c4edd6ddb17ae6259abc37a369c068a783ddb89c21c8d

Download Submit
C:\Users\Admin\AppData\Roaming\1F220\0B2F.F22

Filesize
600B

MD5
eb4d57ee17af5fd44a7cd22491dd0d7d

SHA1
206e391c4c7c0e33b24f3af3db96acf13c63fbd2

SHA256
97db77646cee987aa3d93e93731b47b7a91d743bd6fd1354bc3acbcac15b07e8

SHA512
9c57fcac81cfee22fe298b4d88b62684705478508f072d77bf5c701dfa551be167a9ffab072870728555c45c66459e5d1fe28559c13e18ff6a95d8d84fe99b89

Download Submit
C:\Users\Admin\AppData\Roaming\1F220\0B2F.F22

Filesize
1KB

MD5
f4543e76142d729f109b3ecad3f8b201

SHA1
214621446c75a574b77aef7d63f951f47ef66d73

SHA256
1c9cbe761f397276d80cf29cb0a607830bcddb47da4a919c5f8dea0968b1d981

SHA512
99c4b9b0a7779247fd1fd84f82ceb2634515cd12f9bb8c8945d5c94236be67d8473fb90e7a8568242dbebcab32849ed249a46f0a2096aaa7e6f41fde3be285f0

Download Submit
memory/652-118-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/652-226-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/652-119-0x0000000001E40000-0x0000000001EB9000-memory.dmp

Filesize
484KB

Download
memory/1548-116-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1548-4-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1548-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1548-1-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1548-2-0x0000000001E30000-0x0000000001F30000-memory.dmp

Filesize
1024KB

Download
memory/1548-14-0x0000000001E30000-0x0000000001F30000-memory.dmp

Filesize
1024KB

Download
memory/1548-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1548-229-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-19-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2700-18-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-224-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads