68309c1c7c91847ea800496b17ae3eafe675e2b61870363ee6ed098ab0a0fa58

General

Target

1f6c44eddf20315e210a1d4b72e24550.exe
Size

177KB
MD5

1f6c44eddf20315e210a1d4b72e24550
SHA1

2a34c6809bd6297157b46b0c5da36440770a0c23
SHA256

68309c1c7c91847ea800496b17ae3eafe675e2b61870363ee6ed098ab0a0fa58
SHA512

dcb786b5e4036b222b46874489087d8e5fb6142067cf85408f1b7ff344c40bd78fed07e8f41cb1af7f492d46550011652f4ce994b8fbf69a471a661f34b4dfc7
SSDEEP

3072:IvqOONDQKkT0fTObD/w/EohiDBwVWkWoXNm6GEYEDQQ0k1tk1:IfOUK0UVXNm60fAHk

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	1f6c44eddf20315e210a1d4b72e24550.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2528-1-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1144-13-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1144-12-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2528-15-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2304-81-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2528-83-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1144-85-0x0000000000290000-0x0000000000390000-memory.dmp	upx
behavioral1/memory/2528-147-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2528-180-0x0000000000400000-0x000000000048E000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1144	2528	1f6c44eddf20315e210a1d4b72e24550.exe	28
PID 2528 wrote to memory of 1144	2528	1f6c44eddf20315e210a1d4b72e24550.exe	28
PID 2528 wrote to memory of 1144	2528	1f6c44eddf20315e210a1d4b72e24550.exe	28
PID 2528 wrote to memory of 1144	2528	1f6c44eddf20315e210a1d4b72e24550.exe	28
PID 2528 wrote to memory of 2304	2528	1f6c44eddf20315e210a1d4b72e24550.exe	30
PID 2528 wrote to memory of 2304	2528	1f6c44eddf20315e210a1d4b72e24550.exe	30
PID 2528 wrote to memory of 2304	2528	1f6c44eddf20315e210a1d4b72e24550.exe	30
PID 2528 wrote to memory of 2304	2528	1f6c44eddf20315e210a1d4b72e24550.exe	30

C:\Users\Admin\AppData\Local\Temp\1f6c44eddf20315e210a1d4b72e24550.exe
"C:\Users\Admin\AppData\Local\Temp\1f6c44eddf20315e210a1d4b72e24550.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\1f6c44eddf20315e210a1d4b72e24550.exe
  C:\Users\Admin\AppData\Local\Temp\1f6c44eddf20315e210a1d4b72e24550.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\1f6c44eddf20315e210a1d4b72e24550.exe
  C:\Users\Admin\AppData\Local\Temp\1f6c44eddf20315e210a1d4b72e24550.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2CA7.7BA

Filesize
1KB

MD5
5b6bd9a8cc29ffd2c7b05824d1a5e169

SHA1
f6ca48c97e44840f165cca8cf27bef6166b8b1a6

SHA256
a6d289f088278491cbfe4b6cf94301bb9a4956498b0773ae9731cf2741f21c32

SHA512
05d186174b3970e1ca3cd194032e9e595534c8494f52fa7e1ab071d51cfd2b054c69732080fdb2094617204637e1b43a774527c2f8a5816eef74f5bdc22a3fc5

Download Submit
C:\Users\Admin\AppData\Roaming\2CA7.7BA

Filesize
1KB

MD5
f683badade794641266429d00c37b334

SHA1
518839c93f7ee150ba6e02efde10200179d26703

SHA256
780770672c476c9ad06a8731a25377d18e4121d0981ac0e3abed7a44bb4e84ec

SHA512
570048f03ecab72261448545b5746974875a58a74619a46c1939423c09d7cfe705b7b99cb48873f7ced1715f191429628bea7eccbeb9b4c697073344eccb2cff

Download Submit
C:\Users\Admin\AppData\Roaming\2CA7.7BA

Filesize
600B

MD5
a05d676e4fbb58bdf31adc5492b1fa09

SHA1
9b2905c080791d218c1322d4b3bf5f34fbfc2e50

SHA256
8920cbed628c9404b6d3a4da7615d0a0c134aa136b1eb6c80b9ce0c8134a82e9

SHA512
8a1696e9b06917b8e037f03737862a98ed8404c46ecf5aeadcde061beebfbaa407629996beba91095b233f2d9f428d2eddbaa0cf410b4bfa4657c7e7b7d3c9b8

Download Submit
C:\Users\Admin\AppData\Roaming\2CA7.7BA

Filesize
996B

MD5
e832862159262c2745b736799ddd8199

SHA1
f653191bbd478c3cf083fcda6457970938a217ce

SHA256
bcf293fadbf48c8e35af52752bd42cd2054199b1766df6681add8268c764ab93

SHA512
dfd6ea26e31cae72e52ce1bfd175e5c0ca131fe97faab9329aed2157d7a2a68fb6cf55c1c8c07b969f2b66657000a55f3ed54dae72b55bca6f1c64773dd4042b

Download Submit
memory/1144-12-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1144-85-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1144-13-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1144-14-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2304-82-0x0000000000915000-0x0000000000930000-memory.dmp

Filesize
108KB

Download
memory/2304-81-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2528-83-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2528-84-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2528-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2528-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2528-147-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2528-2-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2528-180-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2528-187-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads