58972b9fb856a756ce1e738c42bc15e17df4aa378c4e05aea6f2253d0c3038bc

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

034c765777a259d37ce8b1d99d05f591.exe
Size

176KB
MD5

034c765777a259d37ce8b1d99d05f591
SHA1

552ae3967e50390f06223ceb6f40c06ca45cc9b4
SHA256

58972b9fb856a756ce1e738c42bc15e17df4aa378c4e05aea6f2253d0c3038bc
SHA512

46ee2b3ac6d9d6749bca0a61ce5bdb39d4cea18bc0f5e8ae87a0bd0f903cab8846b8e729523030cf5eca9b57787c4c6082017e3a10b6bef55c40fdb07f22723c
SSDEEP

3072:xWVQsT+LfbtELxHiDRTlTb1W2suH/ufpwEbpCaY6rXAyd4y8JoZSpLcC4jErjO:nsTObtELxH8n13/HGfrp7Y67Ayd4y8Jk

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\3FA5B\\7444E.exe"	034c765777a259d37ce8b1d99d05f591.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1736-4-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1012-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1736-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1012-119-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1736-124-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1788-126-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1736-275-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1736-276-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1012	1736	034c765777a259d37ce8b1d99d05f591.exe	91
PID 1736 wrote to memory of 1012	1736	034c765777a259d37ce8b1d99d05f591.exe	91
PID 1736 wrote to memory of 1012	1736	034c765777a259d37ce8b1d99d05f591.exe	91
PID 1736 wrote to memory of 1788	1736	034c765777a259d37ce8b1d99d05f591.exe	93
PID 1736 wrote to memory of 1788	1736	034c765777a259d37ce8b1d99d05f591.exe	93
PID 1736 wrote to memory of 1788	1736	034c765777a259d37ce8b1d99d05f591.exe	93

C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe
"C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe
  C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe startC:\Program Files (x86)\LP\4E83\143.exe%C:\Program Files (x86)\LP\4E83
  2⤵
  PID:1012
- C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe
  C:\Users\Admin\AppData\Local\Temp\034c765777a259d37ce8b1d99d05f591.exe startC:\Program Files (x86)\5B026\lvvm.exe%C:\Program Files (x86)\5B026
  2⤵
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3FA5B\B026.FA5

Filesize
996B

MD5
48caa745c2905b68fa1df0b70ce5c652

SHA1
0407b1f58338e5786433c7955dcdebb76d4c13c5

SHA256
8b18e74bb74fce42822203904e5b91be7633dc8f85270c849202fdb4f598e2a0

SHA512
2a8b15c0d1b140edb88e0334b12dadf7c4a5be9234a160c3a1f54b29dd245c787faa19b0a479d929b710b9f61a340ed79d04794e47d779c46961908fdcb2b28f

Download Submit
C:\Users\Admin\AppData\Roaming\3FA5B\B026.FA5

Filesize
600B

MD5
71765c0e3600da632f9f49be65c7eca2

SHA1
bbb4d93a00d350e08f12a673984afb21ab690583

SHA256
7ae74fd42fee0bf6a9e783edd25507680e2d08c8399c9bb4f3e435b29b2120ef

SHA512
25e391a7b9cbc4fe8bc1dd89269d561f28aa426b7f807b23be399cfb12a45a113a0e0f7c4ea5fc57bd1654f040d27dced24534d91ce25097bb79defaa2055727

Download Submit
memory/1012-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1012-14-0x0000000000780000-0x0000000000880000-memory.dmp

Filesize
1024KB

Download
memory/1012-119-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1736-1-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1736-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1736-4-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1736-121-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-124-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1736-2-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-275-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1736-276-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1788-126-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads