58339058f3bee31242008d95591ed1fc0f2fb7386abacccce7c55fb1ce1e90f2

General

Target

03c7c823f811e3d7b5ca7f7c72153dca.exe
Size

181KB
MD5

03c7c823f811e3d7b5ca7f7c72153dca
SHA1

19c2c0cbc46fda0b0952f1c37f900cbd026a8198
SHA256

58339058f3bee31242008d95591ed1fc0f2fb7386abacccce7c55fb1ce1e90f2
SHA512

e2a43ea8c421c27b079d483e0dcfcf249b77bb6f965a8668b6a380852d1df7826443bba35e2d3e7e94b8d10256228acaf232c232a281efb9a8d901d0924d8341
SSDEEP

3072:dBrkxqWp+t5qe6tJbgsK7UiPDyvvN99eb5XD/DbInrUJYKzo35SAsd53MynBfnw:dBrc9p+tE837hP+vNObV/DWrnaAs53ME

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	03c7c823f811e3d7b5ca7f7c72153dca.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3176-1-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2308-12-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3176-15-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/904-101-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/904-102-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3176-104-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3176-170-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3176-173-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3176-176-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 2308	3176	03c7c823f811e3d7b5ca7f7c72153dca.exe	86
PID 3176 wrote to memory of 2308	3176	03c7c823f811e3d7b5ca7f7c72153dca.exe	86
PID 3176 wrote to memory of 2308	3176	03c7c823f811e3d7b5ca7f7c72153dca.exe	86
PID 3176 wrote to memory of 904	3176	03c7c823f811e3d7b5ca7f7c72153dca.exe	96
PID 3176 wrote to memory of 904	3176	03c7c823f811e3d7b5ca7f7c72153dca.exe	96
PID 3176 wrote to memory of 904	3176	03c7c823f811e3d7b5ca7f7c72153dca.exe	96

C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe
"C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe
  C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe
  C:\Users\Admin\AppData\Local\Temp\03c7c823f811e3d7b5ca7f7c72153dca.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BE10.93D

Filesize
996B

MD5
bca97c90ac717e2a2da8b27df6d3ca69

SHA1
1a27f31c250649b42cb14945921b5c5d8d419938

SHA256
1d979139c9f94a15011715d260e49c9f33990bb473b4a4734b764cc06f7014aa

SHA512
f714e36e44a868c72e205a154e90af0b95ed17ff1cc6dd8164caffa20a253f7dc24022e09f62fd83eba5dfdd33059f23c44077cbef8f087d0638b5f35e16ed95

Download Submit
C:\Users\Admin\AppData\Roaming\BE10.93D

Filesize
1KB

MD5
051766d13d08d7d561fb352497549954

SHA1
13271ebf0b663970b3437939d116a1af9f2c2cb7

SHA256
cf22610309564e0789fae677deb963ab999102717d63dc8cdb1c90b2fb29cb80

SHA512
2dccb3c89c13700cc0f11484cd7d38768a19f0886517b3c8655e0ebdf399e5ffdcdc9b7be1a56d1d0567e16f67de7536b7fe991d5e79615c702bacb7d130ce98

Download Submit
C:\Users\Admin\AppData\Roaming\BE10.93D

Filesize
600B

MD5
f52d2ab4263203f32c67be4957deb9a6

SHA1
0906f4daacd8bf1a11782a64e6bb5b657bd9f110

SHA256
5cd8b44d657551e97e25b985a9e1d5d13c83d7f8d0a5d10654e3baf030c95ae3

SHA512
84a7fcf2c7a195a525e391aad7265b77eaca6324daa8d56f014e66c0cbf9fdd0c4af260b3fcb9716a2e52145ce019df5e91b9e3646486dec23fd0c5669c7d241

Download Submit
memory/904-102-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/904-101-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/904-103-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2308-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2308-13-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/3176-15-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3176-2-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/3176-104-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3176-105-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/3176-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3176-170-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3176-173-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3176-176-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads