7dd8befa6135e039fd241d52e4975b3bc1268e24e4e0dcae1c0699ab482b404b

General

Target

0cd1e3e4181803c81e500412fbe79b70.exe
Size

204KB
MD5

0cd1e3e4181803c81e500412fbe79b70
SHA1

bf69949401e43145e962537df925e5b7a7246864
SHA256

7dd8befa6135e039fd241d52e4975b3bc1268e24e4e0dcae1c0699ab482b404b
SHA512

d876f9c64842c3a9821464deb7c3154b196239afad679ffa58e2c3d0aa09d1c2e1be71f1a62eebc851eb6f82b2a77c775e7e5ae14ea3ff45001299d56bdf0558
SSDEEP

6144:WpAKPdcFEABgdr5yKzq+DbJqEWHmipRE1OQJveZoTdf:kAGcFEA6q+3JqpHmDHVeZy

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	0cd1e3e4181803c81e500412fbe79b70.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/824-2-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1636-6-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1636-5-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/824-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2792-90-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2792-89-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/824-92-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1636-94-0x0000000000520000-0x0000000000620000-memory.dmp	upx
behavioral1/memory/824-194-0x0000000000400000-0x000000000048D000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1636	824	0cd1e3e4181803c81e500412fbe79b70.exe	27
PID 824 wrote to memory of 1636	824	0cd1e3e4181803c81e500412fbe79b70.exe	27
PID 824 wrote to memory of 1636	824	0cd1e3e4181803c81e500412fbe79b70.exe	27
PID 824 wrote to memory of 1636	824	0cd1e3e4181803c81e500412fbe79b70.exe	27
PID 824 wrote to memory of 2792	824	0cd1e3e4181803c81e500412fbe79b70.exe	30
PID 824 wrote to memory of 2792	824	0cd1e3e4181803c81e500412fbe79b70.exe	30
PID 824 wrote to memory of 2792	824	0cd1e3e4181803c81e500412fbe79b70.exe	30
PID 824 wrote to memory of 2792	824	0cd1e3e4181803c81e500412fbe79b70.exe	30

C:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exe
"C:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exe
  C:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exe
  C:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B385.EDE

Filesize
600B

MD5
e064d1abbfe3576cf1afeefb41695d27

SHA1
df52f8ff217712bff8f7462a5ff1d05c9e4e7fc8

SHA256
ee8e80ff6011b87654b10bba6c692fe15fed9dfc89b7a27b01f2aaee8b542368

SHA512
187daed5e8904b0c0abae9d8fa6babd0a5b404b5e1fef386b145f7ce00455377a297de414a86187c4e91bd1fc632139f55fc21846ee1d90451186d3527da3758

Download Submit
C:\Users\Admin\AppData\Roaming\B385.EDE

Filesize
996B

MD5
469e0ed0bafd757cfd6db90903c489dd

SHA1
15110bf29b8357132e480aec0e978e5b6467480c

SHA256
6ae82967d4ee3aae3269b7f7556b436c3d7cd276bb1c4c3d6751f66037a13a28

SHA512
6d5c2edca6b981d5354f826362fdf5984114df1b915c1d280f946a65b67e7897a6d0c6f0c59f0a72ad6f2b40dafb86be23b6f6451019cbcc8e6cbb00e96833e8

Download Submit
memory/824-92-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/824-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/824-194-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/824-3-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/824-93-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/824-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1636-6-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1636-5-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1636-94-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1636-7-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2792-90-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2792-89-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2792-91-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads