298c67b45d460f8cfa0d054d7be4317d2a81bd79f654dd744466a73505ad8e9d

General

Target

0cf49225491f58b3d64f4da7bd304e3e.exe
Size

285KB
MD5

0cf49225491f58b3d64f4da7bd304e3e
SHA1

bfa01952f5c3cae91f0222e4a5d894b6c37dedfd
SHA256

298c67b45d460f8cfa0d054d7be4317d2a81bd79f654dd744466a73505ad8e9d
SHA512

0a69aa5dc3defa00cdceafbe0ac92ad1f2b3e278fc06bc596d4d38a08e5175c92e25d00baf609b7481f6d7cc69cb180113bacf5531fe836da766d1517fdf7999
SSDEEP

6144:O9j17jjCWXkANmZGceQhAmrf+jTCWdCJqv8+nY:aBjCekoD5QmIaTCWYJqv8+nY

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	0cf49225491f58b3d64f4da7bd304e3e.exe

Disables taskbar notifications via registry modification
evasion
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2228-1-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2228-54-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1528-56-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2228-156-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/568-206-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2228-209-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2228-326-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2228-329-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\156.exe = "C:\\Program Files (x86)\\LP\\62C3\\156.exe"	0cf49225491f58b3d64f4da7bd304e3e.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\62C3\156.exe	0cf49225491f58b3d64f4da7bd304e3e.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe
2228	0cf49225491f58b3d64f4da7bd304e3e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3016	msiexec.exe
Token: SeTakeOwnershipPrivilege	3016	msiexec.exe
Token: SeSecurityPrivilege	3016	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1528	2228	0cf49225491f58b3d64f4da7bd304e3e.exe	31
PID 2228 wrote to memory of 1528	2228	0cf49225491f58b3d64f4da7bd304e3e.exe	31
PID 2228 wrote to memory of 1528	2228	0cf49225491f58b3d64f4da7bd304e3e.exe	31
PID 2228 wrote to memory of 1528	2228	0cf49225491f58b3d64f4da7bd304e3e.exe	31
PID 2228 wrote to memory of 568	2228	0cf49225491f58b3d64f4da7bd304e3e.exe	32
PID 2228 wrote to memory of 568	2228	0cf49225491f58b3d64f4da7bd304e3e.exe	32
PID 2228 wrote to memory of 568	2228	0cf49225491f58b3d64f4da7bd304e3e.exe	32
PID 2228 wrote to memory of 568	2228	0cf49225491f58b3d64f4da7bd304e3e.exe	32

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	0cf49225491f58b3d64f4da7bd304e3e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0cf49225491f58b3d64f4da7bd304e3e.exe

C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe
"C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2228
- C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe
  C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe startC:\Users\Admin\AppData\Roaming\3F3C2\87562.exe%C:\Users\Admin\AppData\Roaming\3F3C2
  2⤵
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe
  C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe startC:\Program Files (x86)\C2379\lvvm.exe%C:\Program Files (x86)\C2379
  2⤵
  PID:568
- C:\Program Files (x86)\LP\62C3\9B84.tmp
  "C:\Program Files (x86)\LP\62C3\9B84.tmp"
  2⤵
  PID:892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

3

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3F3C2\2379.F3C

Filesize
996B

MD5
7115b394ba60e2086933c2a12137f642

SHA1
c9f986296271fb4170dd14f2f069f7ede7181dfa

SHA256
0956015d9a9587b83f7b23eef32ba45e31ab94461d89a14c56374401adafd1ec

SHA512
910723567b91071685422b3e4540df19150665a89b0c03cfd70fee68ffc3ccf1023497e109219ad0b72a7c57ac1157c3690ec99354e1364be9713ee6d12da4d4

Download Submit
C:\Users\Admin\AppData\Roaming\3F3C2\2379.F3C

Filesize
600B

MD5
b02cf7621a05ffa7e90f11d33318b561

SHA1
7d8253f43ae6974441b74be483f7a73606163686

SHA256
060a57f372097eaa97f88914f83a19eb760835a1d3f06a7b470dc314edb04552

SHA512
8fc5f67fb3f13674f9792c66af612b8d1c454794e6db87b012965ccf18737ec5e159d767dd5199b31083dff5c018b48856e9cc10892a551288ddedb063ec89a5

Download Submit
C:\Users\Admin\AppData\Roaming\3F3C2\2379.F3C

Filesize
300B

MD5
b98b5bef59efb0d850427037873bff55

SHA1
3fbf7fd686e32a98dd64e0cbf87f8611dd6cfc93

SHA256
56e655f475704c5b30377c86a7dd970f1e40bd3dbc7853a7edaffc649fa622be

SHA512
b5a10af448c8bcaec706fd0dd9d3a0e61449371decc53015ec6a0ca7cf02e013cecda08bebb63ca3b44472b177ecef788dee93004cbbf588bb8c03437dd7b298

Download Submit
\Program Files (x86)\LP\62C3\9B84.tmp

Filesize
29KB

MD5
5df47cba4168b5888af6571c03473233

SHA1
eb713d0eb05ee32639ae72a1ebcba540b539894b

SHA256
6af89715a96dddb4f6857a67c2d86b1ebeaf21a9751926bb1baef0fbfcd205ad

SHA512
a3bdd620b79dabcf6b4f1d6a50ae20e9c8b294b9b16e219f567560d45309d72df724be42eb839d9a292e57867a055dc6cb7196ea858a2b5a644688bcb17bd4a8

Download Submit
\Program Files (x86)\LP\62C3\9B84.tmp

Filesize
12KB

MD5
6ae09e3ec949ecda131b15d596f8c28b

SHA1
1452a56c96c94cd2f0d9174b8f680521040f2c7a

SHA256
6353731d7986899da04ec611f542ea7b1dc4c4ed16110b977580ee376873214d

SHA512
75c4caac36f4ea2f146e3b7fa3036e93d3db33960678d127ecb9e9cf3bfac1f7dd1d1210f3fd6fe08114c7e326c945faf66c2e2928947879bfcf5b8d0beaf81f

Download Submit
memory/568-206-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/568-205-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/568-207-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/892-324-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/892-328-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/892-325-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1064-330-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/1064-208-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/1528-56-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2228-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2228-2-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2228-54-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2228-156-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2228-326-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2228-209-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2228-203-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2228-329-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads