202b13cc9badf57b2396fbd64d7e5c13f7025b50ee5cde19f23b66b7b3c90798

General

Target

0d9f25321d2df308ddd0ea15af9307cf.exe
Size

170KB
MD5

0d9f25321d2df308ddd0ea15af9307cf
SHA1

e30b01aa4b5b0999514aff7270c5457694be45f9
SHA256

202b13cc9badf57b2396fbd64d7e5c13f7025b50ee5cde19f23b66b7b3c90798
SHA512

30a4ee8a5d7e1d70332edcc814568d50fd6ff9646956ac463d16165683d4c4fbcaa11c46454047025074186916b26cdc1df9413644ba627cee01e98da149e5dc
SSDEEP

3072:RsuIsB8gZoLhaFyVs5Chw521meIfynYfE0/P2TfLzdLE13FUVLeL7Y4:6uzZoLhaBI4iXYs0/P2zdg11UVLeL7Y

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\297F0\\7C8E9.exe"	0d9f25321d2df308ddd0ea15af9307cf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/436-1-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4760-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4760-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/436-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2380-174-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/436-176-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/436-293-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 4760	436	0d9f25321d2df308ddd0ea15af9307cf.exe	91
PID 436 wrote to memory of 4760	436	0d9f25321d2df308ddd0ea15af9307cf.exe	91
PID 436 wrote to memory of 4760	436	0d9f25321d2df308ddd0ea15af9307cf.exe	91
PID 436 wrote to memory of 2380	436	0d9f25321d2df308ddd0ea15af9307cf.exe	95
PID 436 wrote to memory of 2380	436	0d9f25321d2df308ddd0ea15af9307cf.exe	95
PID 436 wrote to memory of 2380	436	0d9f25321d2df308ddd0ea15af9307cf.exe	95

C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe
"C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe
  C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe startC:\Program Files (x86)\LP\E962\8B5.exe%C:\Program Files (x86)\LP\E962
  2⤵
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe
  C:\Users\Admin\AppData\Local\Temp\0d9f25321d2df308ddd0ea15af9307cf.exe startC:\Program Files (x86)\F0B31\lvvm.exe%C:\Program Files (x86)\F0B31
  2⤵
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\297F0\0B31.97F

Filesize
600B

MD5
ff9a2d1a8457af6828c4a0290595a5f0

SHA1
053788b5000637149f7e39e1d15eeb017450ffec

SHA256
61d475b7ad6e5119345dfc347515f8f666f3fee6a39d7a377681614fcc5f6843

SHA512
b68bb593e42ff3d3ac8fc36c9a4ba6f599d2175343bd15588483f7eb9b9e9bfd649a56adb0345ef9cc07498160116429bd02d5bfa25d5ee3d982d9b957eac683

Download Submit
C:\Users\Admin\AppData\Roaming\297F0\0B31.97F

Filesize
996B

MD5
cb3bcf4f8d34bbf65d55c42d104a3485

SHA1
f0c37940363418941a813b8e32fd7141684c9493

SHA256
aee52cd4856cb37fb11f78f80d87c432600fe94653494a2c07f9d64e0341fb52

SHA512
128cd73ed82c71b1d4e47c363ae00da565ac0f5bd5bca81461aa9dbeb6a6d8a8a79c44ab7daeddee0d4eda8259604203563a1700f4d31bbb0913a723d69beeb2

Download Submit
C:\Users\Admin\AppData\Roaming\297F0\0B31.97F

Filesize
1KB

MD5
5d9fd1b7c85acff60621b198a55c063f

SHA1
123ab6f2f72f99dac3458668be0d79ba28132417

SHA256
c879a323b21bf570f2b31062af3c86b363074d144b220398ac99b7afd8fcaa63

SHA512
7a61954ed542f077c39aae0c79f90a0b661b257e2e369d44d211a0a51bbe9bd45544c8d038ed0cc556ee6f1ccd6c673bfbcd667120d591c4865c64f78862d79c

Download Submit
memory/436-176-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/436-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/436-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/436-280-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/436-2-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/436-293-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2380-175-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2380-174-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4760-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4760-13-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/4760-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads