6d5aa16e97689af6d6464aee85edd7160a929a2f0c351b43104eacd0adf1c042

General

Target

16a6955696ef375f1efb1d371cd9928c.exe
Size

691KB
MD5

16a6955696ef375f1efb1d371cd9928c
SHA1

bade58018b48d16198e2c2a2d3f2ac18f68104ea
SHA256

6d5aa16e97689af6d6464aee85edd7160a929a2f0c351b43104eacd0adf1c042
SHA512

53f0bd822576faac72b974bebd6c181784801e72207f00a36a9ec129951b4623c23d855db11446fc1c8f84f16c2e51319c3442df85b118e482982d16ea018101
SSDEEP

12288:/K3D4lady90jqe0pOSRhSKmXPi5C6oG5F0bLAUEEwPVot1W96P/qtqNA2:OVdyHjRYB/iww0HfEE/tg8GqN9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3008	AIDA64~2.EXE
2004	AIDA64~2.EXE
2596	Keygen.exe

Loads dropped DLL 5 IoCs

pid	Process
3008	AIDA64~2.EXE
3008	AIDA64~2.EXE
3008	AIDA64~2.EXE
3008	AIDA64~2.EXE
3008	AIDA64~2.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2596-46-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-51-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-52-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-53-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-54-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-55-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-56-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-57-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-58-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-59-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-60-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-61-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-62-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-63-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-64-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2596-65-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16a6955696ef375f1efb1d371cd9928c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3008 set thread context of 2004	3008	AIDA64~2.EXE	17

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3008	2548	16a6955696ef375f1efb1d371cd9928c.exe	18
PID 2548 wrote to memory of 3008	2548	16a6955696ef375f1efb1d371cd9928c.exe	18
PID 2548 wrote to memory of 3008	2548	16a6955696ef375f1efb1d371cd9928c.exe	18
PID 2548 wrote to memory of 3008	2548	16a6955696ef375f1efb1d371cd9928c.exe	18
PID 3008 wrote to memory of 2004	3008	AIDA64~2.EXE	17
PID 3008 wrote to memory of 2004	3008	AIDA64~2.EXE	17
PID 3008 wrote to memory of 2004	3008	AIDA64~2.EXE	17
PID 3008 wrote to memory of 2004	3008	AIDA64~2.EXE	17
PID 3008 wrote to memory of 2004	3008	AIDA64~2.EXE	17
PID 3008 wrote to memory of 2004	3008	AIDA64~2.EXE	17
PID 3008 wrote to memory of 2004	3008	AIDA64~2.EXE	17
PID 3008 wrote to memory of 2004	3008	AIDA64~2.EXE	17
PID 3008 wrote to memory of 2004	3008	AIDA64~2.EXE	17
PID 3008 wrote to memory of 2004	3008	AIDA64~2.EXE	17
PID 2548 wrote to memory of 2596	2548	16a6955696ef375f1efb1d371cd9928c.exe	16
PID 2548 wrote to memory of 2596	2548	16a6955696ef375f1efb1d371cd9928c.exe	16
PID 2548 wrote to memory of 2596	2548	16a6955696ef375f1efb1d371cd9928c.exe	16
PID 2548 wrote to memory of 2596	2548	16a6955696ef375f1efb1d371cd9928c.exe	16

C:\Users\Admin\AppData\Local\Temp\16a6955696ef375f1efb1d371cd9928c.exe
"C:\Users\Admin\AppData\Local\Temp\16a6955696ef375f1efb1d371cd9928c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AIDA64~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AIDA64~2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3008

C:\Users\Admin\AppData\Roaming\AIDA64~2.EXE
C:\Users\Admin\AppData\Roaming\AIDA64~2.EXE
1⤵
- Executes dropped EXE
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-31-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-28-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-49-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-29-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-40-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-39-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-30-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-35-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2004-32-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2596-56-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-46-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-51-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-52-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-53-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-54-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-57-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-58-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-59-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-60-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2596-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3008-11-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/3008-38-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/3008-10-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/3008-12-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads