e4e367cdf3bd051008317a99681f3d5bef1082f52083357cc0480ab9a317493b

General

Target

353973888175ed3a55b55bbb9caa705d.exe
Size

936KB
MD5

353973888175ed3a55b55bbb9caa705d
SHA1

a62386a85101098a94d61588dd716f1ebbf00be0
SHA256

e4e367cdf3bd051008317a99681f3d5bef1082f52083357cc0480ab9a317493b
SHA512

65c504d719efc98b625f145c6ecfecf4e019d12bc77a1bd3b1d1c050dc1d4eef079fd999d2d6f1d4fa2cfa543457c679ff57a4c0b560d68a3805e8531d933918
SSDEEP

24576:0i98nUfykkc+ddd9IKr2bCPDf/9U7yGzlUUqmgxYtKQodW8Pz:0DnUfyWqjIRb2D39iyuxgxYt

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	353973888175ed3a55b55bbb9caa705d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	original.exe

Executes dropped EXE 3 IoCs

pid	Process
2392	original.exe
4524	original.exe
3132	FaceBookPokerHack.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000001e712-7.dat	upx
behavioral2/memory/2392-15-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2392-23-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2392 set thread context of 4524	2392	original.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2392	original.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2392	1236	353973888175ed3a55b55bbb9caa705d.exe	90
PID 1236 wrote to memory of 2392	1236	353973888175ed3a55b55bbb9caa705d.exe	90
PID 1236 wrote to memory of 2392	1236	353973888175ed3a55b55bbb9caa705d.exe	90
PID 2392 wrote to memory of 4524	2392	original.exe	94
PID 2392 wrote to memory of 4524	2392	original.exe	94
PID 2392 wrote to memory of 4524	2392	original.exe	94
PID 2392 wrote to memory of 4524	2392	original.exe	94
PID 2392 wrote to memory of 4524	2392	original.exe	94
PID 2392 wrote to memory of 4524	2392	original.exe	94
PID 2392 wrote to memory of 4524	2392	original.exe	94
PID 2392 wrote to memory of 4524	2392	original.exe	94
PID 2392 wrote to memory of 4524	2392	original.exe	94
PID 4524 wrote to memory of 3132	4524	original.exe	95
PID 4524 wrote to memory of 3132	4524	original.exe	95

C:\Users\Admin\AppData\Local\Temp\353973888175ed3a55b55bbb9caa705d.exe
"C:\Users\Admin\AppData\Local\Temp\353973888175ed3a55b55bbb9caa705d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\original.exe
  "C:\Users\Admin\AppData\Local\Temp\original.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\original.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Users\Admin\AppData\Roaming\FaceBookPokerHack.exe
      "C:\Users\Admin\AppData\Roaming\FaceBookPokerHack.exe"
      4⤵
      Executes dropped EXE
      PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\original.exe

Filesize
764KB

MD5
a7e03f76f236d52fabab95062a952425

SHA1
b23a9109dfb0c3ea29bfd970ad5da06e8ae8969c

SHA256
528c9ee89796f9e3ba233c46065c18f0ddfed428fe80d12269b156494b680234

SHA512
1dd531130bcdb0f20183cb818cfed25ceee997ce28a465bfa68a843deb0d7cc8aa0779ff3038eec1bc09787d37e660eea2574d265fcefd1d954e7f4c73f78eec

Download Submit
C:\Users\Admin\AppData\Roaming\FaceBookPokerHack.exe

Filesize
405KB

MD5
d235f5807f24bb4ff3b1e20ee3911d14

SHA1
47d665feeb0fdc947c5481dee325fa2a9f0e0d80

SHA256
0a78fcc9494591ab75b8b93889d1755829b2aa030626b1b350cc2bef04b297eb

SHA512
6c1ff98ee7fd6cb4df2ac264657d34f3b18b554b2520789206e41f422bbc4587c7c32dfd76870aa9ce646838db45a67bb9a2dd6406129887e020cbcbf7bcd024

Download Submit
C:\Users\Admin\AppData\Roaming\FaceBookPokerHack.exe

Filesize
381KB

MD5
1ae3ae81ec49df2f916e881f2c8f8d5b

SHA1
aae7a9f8491cb6655d12c465895a6478fb0e7222

SHA256
6730237d3094785cfd59df5ee337d57ce6729191422053f4d52be4209caf0c62

SHA512
d054666d00a15ca6765ec275f0b627859f4ac7dc83ae2efa1dfe36b7515911ad2e31741742d49f1dd2c46a5f6ec23be974bd599e161389c2756bfbdfdebba3af

Download Submit
memory/1236-16-0x00007FFDF7E80000-0x00007FFDF8821000-memory.dmp

Filesize
9.6MB

Download
memory/1236-3-0x00007FFDF7E80000-0x00007FFDF8821000-memory.dmp

Filesize
9.6MB

Download
memory/1236-14-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/1236-0-0x00007FFDF7E80000-0x00007FFDF8821000-memory.dmp

Filesize
9.6MB

Download
memory/1236-11-0x00007FFDF7E80000-0x00007FFDF8821000-memory.dmp

Filesize
9.6MB

Download
memory/1236-1-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/1236-28-0x00007FFDF7E80000-0x00007FFDF8821000-memory.dmp

Filesize
9.6MB

Download
memory/2392-15-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2392-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3132-45-0x0000000001460000-0x0000000001470000-memory.dmp

Filesize
64KB

Download
memory/3132-49-0x0000000001530000-0x0000000001538000-memory.dmp

Filesize
32KB

Download
memory/3132-54-0x0000000001460000-0x0000000001470000-memory.dmp

Filesize
64KB

Download
memory/3132-44-0x00007FFDF7E80000-0x00007FFDF8821000-memory.dmp

Filesize
9.6MB

Download
memory/3132-53-0x0000000001460000-0x0000000001470000-memory.dmp

Filesize
64KB

Download
memory/3132-43-0x000000001BCB0000-0x000000001BD56000-memory.dmp

Filesize
664KB

Download
memory/3132-47-0x000000001C230000-0x000000001C6FE000-memory.dmp

Filesize
4.8MB

Download
memory/3132-46-0x00007FFDF7E80000-0x00007FFDF8821000-memory.dmp

Filesize
9.6MB

Download
memory/3132-52-0x00007FFDF7E80000-0x00007FFDF8821000-memory.dmp

Filesize
9.6MB

Download
memory/3132-48-0x000000001C7A0000-0x000000001C83C000-memory.dmp

Filesize
624KB

Download
memory/3132-51-0x0000000001460000-0x0000000001470000-memory.dmp

Filesize
64KB

Download
memory/3132-50-0x000000001C940000-0x000000001C98C000-memory.dmp

Filesize
304KB

Download
memory/4524-20-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4524-41-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4524-26-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4524-24-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing