202b13cc9badf57b2396fbd64d7e5c13f7025b50ee5cde19f23b66b7b3c90798

General

Target

0d9f25321d2df308ddd0ea15af9307cf.exe
Size

170KB
MD5

0d9f25321d2df308ddd0ea15af9307cf
SHA1

e30b01aa4b5b0999514aff7270c5457694be45f9
SHA256

202b13cc9badf57b2396fbd64d7e5c13f7025b50ee5cde19f23b66b7b3c90798
SHA512

30a4ee8a5d7e1d70332edcc814568d50fd6ff9646956ac463d16165683d4c4fbcaa11c46454047025074186916b26cdc1df9413644ba627cee01e98da149e5dc
SSDEEP

3072:RsuIsB8gZoLhaFyVs5Chw521meIfynYfE0/P2TfLzdLE13FUVLeL7Y4:6uzZoLhaBI4iXYs0/P2zdg11UVLeL7Y

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\60066\\CAC84.exe"	0d9f25321d2df308ddd0ea15af9307cf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2248-1-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2540-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2540-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2248-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2036-136-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2248-138-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2036-266-0x0000000000270000-0x0000000000370000-memory.dmp	upx
behavioral1/memory/2248-311-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2540	2248	0d9f25321d2df308ddd0ea15af9307cf.exe	28
PID 2248 wrote to memory of 2540	2248	0d9f25321d2df308ddd0ea15af9307cf.exe	28
PID 2248 wrote to memory of 2540	2248	0d9f25321d2df308ddd0ea15af9307cf.exe	28
PID 2248 wrote to memory of 2540	2248	0d9f25321d2df308ddd0ea15af9307cf.exe	28
PID 2248 wrote to memory of 2036	2248	0d9f25321d2df308ddd0ea15af9307cf.exe	30
PID 2248 wrote to memory of 2036	2248	0d9f25321d2df308ddd0ea15af9307cf.exe	30
PID 2248 wrote to memory of 2036	2248	0d9f25321d2df308ddd0ea15af9307cf.exe	30
PID 2248 wrote to memory of 2036	2248	0d9f25321d2df308ddd0ea15af9307cf.exe	30

C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe
"C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe
  C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe startC:\Program Files (x86)\LP\84B6\8A0.exe%C:\Program Files (x86)\LP\84B6
  2⤵
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe
  C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe startC:\Program Files (x86)\66C7E\lvvm.exe%C:\Program Files (x86)\66C7E
  2⤵
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\60066\6C7E.006

Filesize
996B

MD5
bfd1aaa3add4bd12e9dda49165efbf35

SHA1
c850c7786467ccdb3e52ed2f0bb049ee70f8545f

SHA256
78cf320fdb9f115344f54381433d04ab7c20375ca95dff08367c9ec362a48739

SHA512
adfcd0b98a8df41670d25e2221d2270a1bfbdc3bb39923148fcf41eb37afd4f1026664cd5b6b13e6b736607ecb61c54a3adae329ea847a5e1040f168f3835c20

Download Submit
C:\Users\Admin\AppData\Roaming\60066\6C7E.006

Filesize
1KB

MD5
3b2aac4e4a6534bd300b75ed3e95b791

SHA1
492b08f79d8ee370f8a5fbdbbb2858812886ad54

SHA256
7b1342169f79fa19a98af46b5d64936163c8716a21d5bdfc6921182665b1f476

SHA512
0aa5a97e4d44f24f31a89ba7384882cbae43771d0570b46dc0e8cffc8236b29a7c81262ede95c0f337fe51d72f27e1788900db9292904de8ec3e7815f3af725b

Download Submit
C:\Users\Admin\AppData\Roaming\60066\6C7E.006

Filesize
600B

MD5
6bcb9062b8687e453553c24039c5dd97

SHA1
afe0d0f4f8da8cbfd78d4ba9760f8273e4c00d4f

SHA256
4cfa567d775325e4b7cdd7a6edd97fa9d9f72f5b43f98c44cb81af20b18bda97

SHA512
86cb93d04a4f2d1c9efb772668930da0c923b1b7b8dd13d587f713eb0fefb26e329f5db86422b31f74ea37c4858686cf270ff8e44f14efd7d2b6877ea51ee5f8

Download Submit
memory/2036-137-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2036-266-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2036-136-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2248-262-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/2248-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2248-138-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2248-3-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/2248-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2248-311-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2540-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2540-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2540-14-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2540-264-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads