7df7cc25adec4db367b0ac4e3428672d773820a9f4fdfbf0346cd2e31225c59c

General

Target

0ae3c3d40e9e2f9a607eb122945fd806.exe
Size

177KB
MD5

0ae3c3d40e9e2f9a607eb122945fd806
SHA1

44144fd58f1402d7e9fb9f79d8b1db8e47eb9ca0
SHA256

7df7cc25adec4db367b0ac4e3428672d773820a9f4fdfbf0346cd2e31225c59c
SHA512

cf28b7a0ebb6d3abae6ab213bc8ea492d3d799d9d23439f13ba9b9df64f28e24f60be3fc5047fda608780555aea9135708c532214b8aa39bf3783709934e041f
SSDEEP

3072:jAtbd/WSkwyW62FL0/qtCnkvTnlMMF1SJhinKxP6bqbrqjMVdTdws0lft2zn+lz5:0D/2ZrnGnpLnKx1brqjeRxEPlzGG

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	0ae3c3d40e9e2f9a607eb122945fd806.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/804-5-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2320-64-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2188-70-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2320-72-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2320-162-0x0000000000400000-0x0000000000482000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 804	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	20
PID 2320 wrote to memory of 804	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	20
PID 2320 wrote to memory of 804	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	20
PID 2320 wrote to memory of 804	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	20
PID 2320 wrote to memory of 2188	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	30
PID 2320 wrote to memory of 2188	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	30
PID 2320 wrote to memory of 2188	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	30
PID 2320 wrote to memory of 2188	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	30

C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe
"C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe
  C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:804
- C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe
  C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3AA1.2DF

Filesize
300B

MD5
43d6ba7e91b5a95024e94a5d92ae3253

SHA1
46ba464d2694e865277b9b2d8d58b6a52e742ef9

SHA256
9e3a524c5cbda746de47b1bbf23d0a0dc17333a4417c4a8ff0f77efeb9cb8f32

SHA512
08f584c7130368905e97b5af2a3468e2b2eac6156f9fe47608d7748fb06505e82b3824b762a6bcebacafcf9f014c6f390d5b84a0d1f2d8b4424f41df53dacfb4

Download Submit
C:\Users\Admin\AppData\Roaming\3AA1.2DF

Filesize
1KB

MD5
360d074420a5f4ae3283e5cb833b8364

SHA1
57c5026ba03daef89440144b0a21a0fc044a53c9

SHA256
a952fbfb41148579acd22d27a079b159b7c2a022fd7ecf7186a6d53a78d1749f

SHA512
2271d17fe2d8b058e086fa9da65b6c776258ece8156678c234e0148aa9529c856cfb93d4dc648df100f7f45a7b1ba522a7fe56a140ee65acb04cb4f16eaea809

Download Submit
C:\Users\Admin\AppData\Roaming\3AA1.2DF

Filesize
696B

MD5
4124215bcd51189a2d667f1f3df4f5da

SHA1
9ce7c2dafa3b6a499f4625d7492d5e0e593d6c23

SHA256
6ab05e26fa32776e2c17959d3bfc6dfc3893a47e9e610ad501803e0624f7d82d

SHA512
730972d3346792d82d7022e391db07fa4b3e3803f5c235a920e3558e6a1d4aa0a6ced3a06b6d8f69a4dfd5dfae6bce8647e289ec948b9f0d64203d726e821875

Download Submit
memory/804-6-0x0000000000575000-0x0000000000598000-memory.dmp

Filesize
140KB

Download
memory/804-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2188-71-0x0000000000635000-0x0000000000658000-memory.dmp

Filesize
140KB

Download
memory/2188-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2320-1-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2320-73-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2320-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2320-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2320-2-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2320-162-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads