44859cfca4b57e180e4ba3959cda0063cfaa22b3baee5fa4201a6be69d1d5e1f

General

Target

0c749ad588b98fb31ad7582308d09d53.exe
Size

168KB
MD5

0c749ad588b98fb31ad7582308d09d53
SHA1

2a5b6c0e47b4ee8a2f02c3b759f991a1806fb827
SHA256

44859cfca4b57e180e4ba3959cda0063cfaa22b3baee5fa4201a6be69d1d5e1f
SHA512

d52ef7bc08887e66f27caf8f92f6387d2bcf2130be5987b40028d8fce6cfa5fcffca3b7e3a2f0990cdcc0ffdd7ce98193545140391eee145f14b1270abd541bc
SSDEEP

3072:kfn0ATE98VbOROy3M0cc+qJoxvPVHiTcw6406cBdkTjF5uO/X05s:k8Ao98MIy3M0cc+qmxvNHiTcw67dkO8+

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\DFEC7\\1864C.exe"	0c749ad588b98fb31ad7582308d09d53.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1464-1-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4052-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1464-42-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/112-112-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1464-113-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1464-181-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 4052	1464	0c749ad588b98fb31ad7582308d09d53.exe	40
PID 1464 wrote to memory of 4052	1464	0c749ad588b98fb31ad7582308d09d53.exe	40
PID 1464 wrote to memory of 4052	1464	0c749ad588b98fb31ad7582308d09d53.exe	40
PID 1464 wrote to memory of 112	1464	0c749ad588b98fb31ad7582308d09d53.exe	98
PID 1464 wrote to memory of 112	1464	0c749ad588b98fb31ad7582308d09d53.exe	98
PID 1464 wrote to memory of 112	1464	0c749ad588b98fb31ad7582308d09d53.exe	98

C:\Users\Admin\AppData\Local\Temp\0c749ad588b98fb31ad7582308d09d53.exe
"C:\Users\Admin\AppData\Local\Temp\0c749ad588b98fb31ad7582308d09d53.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\0c749ad588b98fb31ad7582308d09d53.exe
  C:\Users\Admin\AppData\Local\Temp\0c749ad588b98fb31ad7582308d09d53.exe startC:\Program Files (x86)\LP\4CBD\FAF.exe%C:\Program Files (x86)\LP\4CBD
  2⤵
  PID:4052
- C:\Users\Admin\AppData\Local\Temp\0c749ad588b98fb31ad7582308d09d53.exe
  C:\Users\Admin\AppData\Local\Temp\0c749ad588b98fb31ad7582308d09d53.exe startC:\Program Files (x86)\C760F\lvvm.exe%C:\Program Files (x86)\C760F
  2⤵
  PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DFEC7\760F.FEC

Filesize
996B

MD5
a5adbe2ba671d32d17dbf894804493c6

SHA1
192262b9f92ad10b6c082e9a3c3b0c734c19add8

SHA256
6a2db78367b62274a66cb1ab9587964e00a5e03bdb12840d48ef5c39e0259bee

SHA512
05c5cace75a466bae167d5ede236836e91de1ba14b70bff81e5be19adea3118474aedb188f33d6fae6042cf06a2c6de9a9cadf49bde7e684a8f086664714d26f

Download Submit
C:\Users\Admin\AppData\Roaming\DFEC7\760F.FEC

Filesize
600B

MD5
b0e3008a1e5bb3108e9ad53634220cee

SHA1
cb9c5be9cef840ad53fc8c8e21978434d39da663

SHA256
d0fcdf7125a0780592ca9dacb4a119f7dc12ba626bc6f2a3cb1bffac8d2740a9

SHA512
8eb9741dbffa5aeb1b715f8d0fba34240ebf50a9be8f8b3ebd8cef2310b9fbd95a0ca1742e3c75e9edb378128b15741a83bb8104bcf00a4e06e9e9ba861ee7de

Download Submit
C:\Users\Admin\AppData\Roaming\DFEC7\760F.FEC

Filesize
1KB

MD5
88e6f2c0b870b603041d63619f042f63

SHA1
3cca82802859c03959eb2833f903b9dff8645909

SHA256
e803bb13e0e660ffc4eb75cbb1e7c9567f8d46b45fc6add8872ecb4c7f26eeb5

SHA512
4102ce370221830e3667585a65cba88c4d081b19107df2e6829a362d3dc5252719dedb201197575aaafc06cfb83b025334232b590e01a0f040f124480a70f7b9

Download Submit
memory/112-110-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/112-112-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/112-111-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/1464-113-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1464-42-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1464-2-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1464-114-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1464-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1464-181-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4052-13-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/4052-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads