58339058f3bee31242008d95591ed1fc0f2fb7386abacccce7c55fb1ce1e90f2

General

Target

03c7c823f811e3d7b5ca7f7c72153dca.exe
Size

181KB
MD5

03c7c823f811e3d7b5ca7f7c72153dca
SHA1

19c2c0cbc46fda0b0952f1c37f900cbd026a8198
SHA256

58339058f3bee31242008d95591ed1fc0f2fb7386abacccce7c55fb1ce1e90f2
SHA512

e2a43ea8c421c27b079d483e0dcfcf249b77bb6f965a8668b6a380852d1df7826443bba35e2d3e7e94b8d10256228acaf232c232a281efb9a8d901d0924d8341
SSDEEP

3072:dBrkxqWp+t5qe6tJbgsK7UiPDyvvN99eb5XD/DbInrUJYKzo35SAsd53MynBfnw:dBrc9p+tE837hP+vNObV/DWrnaAs53ME

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	03c7c823f811e3d7b5ca7f7c72153dca.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-1-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1388-12-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1388-14-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2648-15-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2752-95-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2648-97-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2648-98-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2648-167-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2648-200-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2648-204-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 1388	2648	03c7c823f811e3d7b5ca7f7c72153dca.exe	28
PID 2648 wrote to memory of 1388	2648	03c7c823f811e3d7b5ca7f7c72153dca.exe	28
PID 2648 wrote to memory of 1388	2648	03c7c823f811e3d7b5ca7f7c72153dca.exe	28
PID 2648 wrote to memory of 1388	2648	03c7c823f811e3d7b5ca7f7c72153dca.exe	28
PID 2648 wrote to memory of 2752	2648	03c7c823f811e3d7b5ca7f7c72153dca.exe	30
PID 2648 wrote to memory of 2752	2648	03c7c823f811e3d7b5ca7f7c72153dca.exe	30
PID 2648 wrote to memory of 2752	2648	03c7c823f811e3d7b5ca7f7c72153dca.exe	30
PID 2648 wrote to memory of 2752	2648	03c7c823f811e3d7b5ca7f7c72153dca.exe	30

C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe
"C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe
  C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1388
- C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe
  C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\60EE.DBA

Filesize
1KB

MD5
c0872309e39ce783cf30f70442fa58f7

SHA1
0703b89715532335f1450981c37c31f661747ef4

SHA256
ae62375d6cd73cebbd5d4c451619ce896240341c11a8fbed101608baf3c2274a

SHA512
400388630dde43b7821e15e80f2181dcdfd0be931f3553ad751858601f8686306096e2f8f786506b1d0e0bc12e8d3687f91e64f3eda90d39eea3573388a49e03

Download Submit
C:\Users\Admin\AppData\Roaming\60EE.DBA

Filesize
600B

MD5
518c74887fbb139f15438a3d3bbd528a

SHA1
b1644b306b38fc7905cead299cf69f907cbd2132

SHA256
b584e8e95fb1528e0033e48d1527c55382b468ee0f3dab283e7fe012053607c0

SHA512
77cbc1e91e84551e712b9c9cb28ce485ab31275ab78e76483c2f1a50344a51630eaf7cda0cce8a6bb755e0f35b6e2883e145a7eb71fade652e9f962b22e82880

Download Submit
C:\Users\Admin\AppData\Roaming\60EE.DBA

Filesize
996B

MD5
33e4df073b54c4b6b2ad6b764078fd46

SHA1
958b2d5f6a55b91761671b4133b3e1f6bd187d64

SHA256
a89f2c1b0c7baa9033c9a837f5403123386105ed2401376c491bbfd1a3226249

SHA512
fcf539fe145ec447255c691a9419ce2a02a098b43e713c1dbd5e44b239a79fdb5978dbd556bee27002848e92c4c5b78624c65dfc3a033ea8e55253f0e6326683

Download Submit
memory/1388-13-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/1388-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1388-14-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2648-99-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/2648-15-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2648-97-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2648-98-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2648-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2648-167-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2648-2-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/2648-200-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2648-204-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2752-95-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2752-96-0x00000000005C8000-0x00000000005E4000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads