06c34394aaa10f88ab6c755fe8fc3846dcad360850a67d037abd9804d07b30bb

General

Target

0537ae629583f68cc2bc00efc59d7e55.exe
Size

909KB
MD5

0537ae629583f68cc2bc00efc59d7e55
SHA1

9d86faf729616d0ae13b073e2f73e674417536c4
SHA256

06c34394aaa10f88ab6c755fe8fc3846dcad360850a67d037abd9804d07b30bb
SHA512

6ce90cd0ba091b1f25b991add4ab5e70912d927c1facc011ff484a04cb1a36e1927c3ee7dd50294223b09a013e0b0bdfa64bb87a7927ceffc8227e666e939f88
SSDEEP

24576:uQXz088WLzxDfgM1uylEjlISKfqrx0OGO31g7+RO:tXzkWxMQlgI/fJOq64

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1616	setup.exe

Loads dropped DLL 10 IoCs

pid	Process
1712	0537ae629583f68cc2bc00efc59d7e55.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-0-0x00000000009A0000-0x0000000000C51000-memory.dmp	upx
behavioral1/files/0x000d00000001232d-2.dat	upx
behavioral1/memory/1712-4-0x0000000002750000-0x0000000002A01000-memory.dmp	upx
behavioral1/files/0x000d00000001232d-8.dat	upx
behavioral1/memory/1616-9-0x0000000000810000-0x0000000000AC1000-memory.dmp	upx
behavioral1/memory/1712-7-0x00000000009A0000-0x0000000000C51000-memory.dmp	upx
behavioral1/files/0x000d00000001232d-6.dat	upx
behavioral1/files/0x000d00000001232d-18.dat	upx
behavioral1/files/0x000d00000001232d-17.dat	upx
behavioral1/files/0x000d00000001232d-16.dat	upx
behavioral1/files/0x000d00000001232d-15.dat	upx
behavioral1/memory/1616-23-0x0000000000810000-0x0000000000AC1000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3000	1616	WerFault.exe	28

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1712	0537ae629583f68cc2bc00efc59d7e55.exe
1712	0537ae629583f68cc2bc00efc59d7e55.exe
1616	setup.exe
1616	setup.exe
1616	setup.exe
1616	setup.exe
1616	setup.exe
1616	setup.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1616	1712	0537ae629583f68cc2bc00efc59d7e55.exe	28
PID 1712 wrote to memory of 1616	1712	0537ae629583f68cc2bc00efc59d7e55.exe	28
PID 1712 wrote to memory of 1616	1712	0537ae629583f68cc2bc00efc59d7e55.exe	28
PID 1712 wrote to memory of 1616	1712	0537ae629583f68cc2bc00efc59d7e55.exe	28
PID 1712 wrote to memory of 1616	1712	0537ae629583f68cc2bc00efc59d7e55.exe	28
PID 1712 wrote to memory of 1616	1712	0537ae629583f68cc2bc00efc59d7e55.exe	28
PID 1712 wrote to memory of 1616	1712	0537ae629583f68cc2bc00efc59d7e55.exe	28
PID 1616 wrote to memory of 3000	1616	setup.exe	29
PID 1616 wrote to memory of 3000	1616	setup.exe	29
PID 1616 wrote to memory of 3000	1616	setup.exe	29
PID 1616 wrote to memory of 3000	1616	setup.exe	29

C:\Users\Admin\AppData\Local\Temp\0537ae629583f68cc2bc00efc59d7e55.exe
"C:\Users\Admin\AppData\Local\Temp\0537ae629583f68cc2bc00efc59d7e55.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\setup.exe relaunch
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 468
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
386KB

MD5
b29812de29cf7a17623ba135244f6786

SHA1
dd3f260797196cfae14ed53cd23f4d2fc667cdb1

SHA256
f50cdde1bcecec1adfacdd70b02b8cb42421493f031ed8a286298c48f7f03dc2

SHA512
722a610807e3ce7ca1d4653cd9e64ef3b4b6f40b48718e30c96f17188acc2fe32f07c5985a02247e6d261f15385103087856b2f48c1e8be373991c7e4099805a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
411KB

MD5
eda7162c985f69dac8ecd44f8cf09e5c

SHA1
c2a5113ce91836c432f95e43e7d633d1a9ceaeae

SHA256
bffe3471870802f9e41abbda1fe8d7386d0f0a9f68278159e26ef23af0c5283a

SHA512
576e9e6e10d898c9d74afdcce8efee4fbed20bf02657e21cca36d967be1ed0151297af2b090a24e1bcd6a99d523342b449c8494fa6af7cc34e2b557df9ac366f

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
489KB

MD5
1dd1d4f4989ba418094d0d372607277a

SHA1
9afb60acd7ec8f34945f7ff63ffdd8ef64e36b04

SHA256
453ad1d6d1aa8ba07710581c4b8c19579b8c3cc0066bef2b36f836e10b79a48d

SHA512
12981064d2f3962e3b1b55a18d6c122598a95cccad8d40087c6614615002e2ef948d48e0565a6073ba3202e0dac7e3e60fb774027240c476637c31fda5c505ec

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
156KB

MD5
3f17262b6c126d55d747120da4c95b6c

SHA1
6bd2f05a350911571445d51669e6915e6f614689

SHA256
d47375eb29d321f3f6327ea7b62600400cac1d6567a166a848aec6da7c51c202

SHA512
b4d702750ac3fd91fec302fd001ff763318a3cc8757fa518154d8cbeed69f4c143b2d0a8efe4cd503793c57d03d2f3ee8d33878894a6f7787e1a6a24b0211c7a

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
223KB

MD5
3bd860b5b4758eeb18a014c755dac98c

SHA1
31c86b289c43ed021b335f9ae8dfcd4260ba9c0a

SHA256
c25524873c8c46640d875468417ae1f3006c7bd1d858443b2872d55d89b9dd95

SHA512
f036157c8d39bc61a0b30371428f0fd53717637c99a4e126bb040dcb01552cfb7492a2d40ef9a4cf00cb0e0f8eaf445d793970bef3c04b8938cdd5fdc28d3687

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
909KB

MD5
0537ae629583f68cc2bc00efc59d7e55

SHA1
9d86faf729616d0ae13b073e2f73e674417536c4

SHA256
06c34394aaa10f88ab6c755fe8fc3846dcad360850a67d037abd9804d07b30bb

SHA512
6ce90cd0ba091b1f25b991add4ab5e70912d927c1facc011ff484a04cb1a36e1927c3ee7dd50294223b09a013e0b0bdfa64bb87a7927ceffc8227e666e939f88

Download Submit
memory/1616-9-0x0000000000810000-0x0000000000AC1000-memory.dmp

Filesize
2.7MB

Download
memory/1616-23-0x0000000000810000-0x0000000000AC1000-memory.dmp

Filesize
2.7MB

Download
memory/1712-4-0x0000000002750000-0x0000000002A01000-memory.dmp

Filesize
2.7MB

Download
memory/1712-0-0x00000000009A0000-0x0000000000C51000-memory.dmp

Filesize
2.7MB

Download
memory/1712-7-0x00000000009A0000-0x0000000000C51000-memory.dmp

Filesize
2.7MB

Download
memory/1712-25-0x0000000002750000-0x0000000002A01000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing