e4c37cd0789b87360d975ad28885ca96182cdbafb09fccf838b587fa1eee0121

General

Target

56a25b61e95986085e5b31942e12438c.exe
Size

191KB
MD5

56a25b61e95986085e5b31942e12438c
SHA1

6235a768e1e3142f25a3b1e38d5c75a0ad874fed
SHA256

e4c37cd0789b87360d975ad28885ca96182cdbafb09fccf838b587fa1eee0121
SHA512

606e4163434241d8e28bf65ca498b46bfd194e8854aabdb003cf5b3e894eefa22b8bf0997402d0753e2945695c2f9f903c24aaf0350e70388d006563b99441bf
SSDEEP

3072:o3RGPZKuN8WDiTkca+oZuFmtPzQ7+FhHGUKY7Yxo0XeoKHR5DTD6Wo:7Dp8FmRz3FhmUK39uJHR5Ds

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	56a25b61e95986085e5b31942e12438c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2764-1-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/2564-6-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/2764-15-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/320-83-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/2764-85-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/2764-190-0x0000000000400000-0x0000000000488000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2564	2764	56a25b61e95986085e5b31942e12438c.exe	30
PID 2764 wrote to memory of 2564	2764	56a25b61e95986085e5b31942e12438c.exe	30
PID 2764 wrote to memory of 2564	2764	56a25b61e95986085e5b31942e12438c.exe	30
PID 2764 wrote to memory of 2564	2764	56a25b61e95986085e5b31942e12438c.exe	30
PID 2764 wrote to memory of 320	2764	56a25b61e95986085e5b31942e12438c.exe	32
PID 2764 wrote to memory of 320	2764	56a25b61e95986085e5b31942e12438c.exe	32
PID 2764 wrote to memory of 320	2764	56a25b61e95986085e5b31942e12438c.exe	32
PID 2764 wrote to memory of 320	2764	56a25b61e95986085e5b31942e12438c.exe	32

C:\Users\Admin\AppData\Local\Temp\56a25b61e95986085e5b31942e12438c.exe
"C:\Users\Admin\AppData\Local\Temp\56a25b61e95986085e5b31942e12438c.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\56a25b61e95986085e5b31942e12438c.exe
  C:\Users\Admin\AppData\Local\Temp\56a25b61e95986085e5b31942e12438c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\56a25b61e95986085e5b31942e12438c.exe
  C:\Users\Admin\AppData\Local\Temp\56a25b61e95986085e5b31942e12438c.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D81C.BBA

Filesize
996B

MD5
6d0e78c1e871335455cc538b39cb7b48

SHA1
af5cbe93846199083c0ee7ac5f6f790caf21fd9f

SHA256
9ac395d03332367671b7c728f0a29fb4a7e91d70e70e5f3b49b756141f8b207a

SHA512
fdad67c95f3f100b8a944a4aa8138e4f0ff4098f9f306151e7ac6a5ba84623d89fa15259ab61bd50346ecfacd727d85a8a1bdb4e2e12f7451a18950fa44f8fe2

Download Submit
C:\Users\Admin\AppData\Roaming\D81C.BBA

Filesize
1KB

MD5
a6e7fe6b7c3ad0717a928f58893c8049

SHA1
898ef404389f812fd609e6ae52c0cc289e740c71

SHA256
ae139147731780f8a873755c13658639ce18c60c7d378040df5b599f20188eed

SHA512
a2eb64a4caecff7d338768cac63584ff94da1a917beadd9f052c740b37886801b55a145b114a3d5bad203cc293bcc690651af8fe58f0e980ae194451fa6fc4d2

Download Submit
C:\Users\Admin\AppData\Roaming\D81C.BBA

Filesize
600B

MD5
2ae448cec7fabf6857dd33c769365b92

SHA1
e2c8e37dc210a8cb94d7f5521c26831a85d0cf6f

SHA256
dca4d1baa376d00bc3a9a9781a03bde250e9dbb00e2b1921814a52c83054bd85

SHA512
60cf59f5bfe0a8f9fca2af414d5ebc376347658280b8f5066ea7c7cdf39348157aa4be07508136630171e7f74eb01cbf0874bfa0f5b31161799d7b88fe9fafb9

Download Submit
memory/320-84-0x0000000000546000-0x0000000000562000-memory.dmp

Filesize
112KB

Download
memory/320-83-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2564-7-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2564-6-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2764-15-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2764-2-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2764-85-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2764-86-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2764-1-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2764-190-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads