6d5aa16e97689af6d6464aee85edd7160a929a2f0c351b43104eacd0adf1c042

General

Target

16a6955696ef375f1efb1d371cd9928c.exe
Size

691KB
MD5

16a6955696ef375f1efb1d371cd9928c
SHA1

bade58018b48d16198e2c2a2d3f2ac18f68104ea
SHA256

6d5aa16e97689af6d6464aee85edd7160a929a2f0c351b43104eacd0adf1c042
SHA512

53f0bd822576faac72b974bebd6c181784801e72207f00a36a9ec129951b4623c23d855db11446fc1c8f84f16c2e51319c3442df85b118e482982d16ea018101
SSDEEP

12288:/K3D4lady90jqe0pOSRhSKmXPi5C6oG5F0bLAUEEwPVot1W96P/qtqNA2:OVdyHjRYB/iww0HfEE/tg8GqN9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2464	AIDA64~2.EXE
2352	AIDA64~2.EXE
4420	Keygen.exe

Loads dropped DLL 4 IoCs

pid	Process
2464	AIDA64~2.EXE
2464	AIDA64~2.EXE
2464	AIDA64~2.EXE
2464	AIDA64~2.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4420-37-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-38-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-39-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-40-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-41-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-42-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-43-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-44-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-45-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-46-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-47-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-48-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-49-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-50-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-51-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/4420-52-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16a6955696ef375f1efb1d371cd9928c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 2352	2464	AIDA64~2.EXE	27

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4060	AUDIODG.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 2464	4624	16a6955696ef375f1efb1d371cd9928c.exe	17
PID 4624 wrote to memory of 2464	4624	16a6955696ef375f1efb1d371cd9928c.exe	17
PID 4624 wrote to memory of 2464	4624	16a6955696ef375f1efb1d371cd9928c.exe	17
PID 2464 wrote to memory of 2352	2464	AIDA64~2.EXE	27
PID 2464 wrote to memory of 2352	2464	AIDA64~2.EXE	27
PID 2464 wrote to memory of 2352	2464	AIDA64~2.EXE	27
PID 2464 wrote to memory of 2352	2464	AIDA64~2.EXE	27
PID 2464 wrote to memory of 2352	2464	AIDA64~2.EXE	27
PID 2464 wrote to memory of 2352	2464	AIDA64~2.EXE	27
PID 2464 wrote to memory of 2352	2464	AIDA64~2.EXE	27
PID 2464 wrote to memory of 2352	2464	AIDA64~2.EXE	27
PID 2464 wrote to memory of 2352	2464	AIDA64~2.EXE	27
PID 4624 wrote to memory of 4420	4624	16a6955696ef375f1efb1d371cd9928c.exe	26
PID 4624 wrote to memory of 4420	4624	16a6955696ef375f1efb1d371cd9928c.exe	26
PID 4624 wrote to memory of 4420	4624	16a6955696ef375f1efb1d371cd9928c.exe	26

C:\Users\Admin\AppData\Local\Temp\16a6955696ef375f1efb1d371cd9928c.exe
"C:\Users\Admin\AppData\Local\Temp\16a6955696ef375f1efb1d371cd9928c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AIDA64~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AIDA64~2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Roaming\AIDA64~2.EXE
    C:\Users\Admin\AppData\Roaming\AIDA64~2.EXE
    3⤵
    - Executes dropped EXE
    PID:2352
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.exe
  2⤵
  - Executes dropped EXE
  PID:4420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x394 0x314
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AIDA64~2.EXE

Filesize
92KB

MD5
0bbc14ae915fe43877d5b2d121a1af28

SHA1
b1cd8ecc199dc16593a19d491fa51e2dfce5300b

SHA256
1b84fab9537431cc8387640506793432d0b5be89f4fc8adfa3d7be575e5a3436

SHA512
84fb2d862a76b99e72fbd79cd728a99daf8d2c53bdc8bbd696bcbdad6c577e9d7f11903e58ec08b7d64b9f5e212fe38104be8d55c3c723ae8f14bd9c8c179cb0

Download Submit
memory/2352-22-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2352-32-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2352-27-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2464-8-0x0000000001330000-0x0000000001340000-memory.dmp

Filesize
64KB

Download
memory/2464-9-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/2464-7-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/2464-28-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/4420-41-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-44-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-39-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-40-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-37-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-42-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-43-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-38-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-45-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-46-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-47-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-48-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-49-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-50-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-51-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4420-52-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads