cfe90e9b4dd78483cf11b9f68e978907f1bf5602e73e0fd3368340d409d4310e

General

Target

0ebefc9744bef5d707e1dfd9d30bfd95.exe
Size

216KB
MD5

0ebefc9744bef5d707e1dfd9d30bfd95
SHA1

ee869c40160ecd1e92a0e9b7f95b15f4c45e3e01
SHA256

cfe90e9b4dd78483cf11b9f68e978907f1bf5602e73e0fd3368340d409d4310e
SHA512

9737128af00fa418410c30ff4753290b1e021344710ee802fba2ce5b189b06f6808d680e4e6bbad0ac5ccebabee33db42f1eeb5d0f4f0510708fdb004854747f
SSDEEP

6144:5WmY0snba+a6uxpc89pKf/Yt69v4ytGmc:5WmzsUxi4KfSuv4qGmc

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2780 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2780	cmd.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2068-1-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-2-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-4-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-5-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-6-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-8-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-9-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-10-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-11-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-13-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-14-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-15-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2068-19-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0ebefc9744bef5d707e1dfd9d30bfd95.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WSYSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0ebefc9744bef5d707e1dfd9d30bfd95.exe /cs:1 "	0ebefc9744bef5d707e1dfd9d30bfd95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\WSYSS = "\"C:\\ProgramData\\9cb25d9\\WinSysSuite.exe\" /s"	0ebefc9744bef5d707e1dfd9d30bfd95.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1518.001

Processes:

0ebefc9744bef5d707e1dfd9d30bfd95.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\ 0ebefc9744bef5d707e1dfd9d30bfd95.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2852 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2852 taskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\	0ebefc9744bef5d707e1dfd9d30bfd95.exe

pid	process
2852	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2852	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0ebefc9744bef5d707e1dfd9d30bfd95.exe

description	pid	process	target process
PID 2068 wrote to memory of 2852	2068	0ebefc9744bef5d707e1dfd9d30bfd95.exe	taskkill.exe
PID 2068 wrote to memory of 2852	2068	0ebefc9744bef5d707e1dfd9d30bfd95.exe	taskkill.exe
PID 2068 wrote to memory of 2852	2068	0ebefc9744bef5d707e1dfd9d30bfd95.exe	taskkill.exe
PID 2068 wrote to memory of 2852	2068	0ebefc9744bef5d707e1dfd9d30bfd95.exe	taskkill.exe
PID 2068 wrote to memory of 2780	2068	0ebefc9744bef5d707e1dfd9d30bfd95.exe	cmd.exe
PID 2068 wrote to memory of 2780	2068	0ebefc9744bef5d707e1dfd9d30bfd95.exe	cmd.exe
PID 2068 wrote to memory of 2780	2068	0ebefc9744bef5d707e1dfd9d30bfd95.exe	cmd.exe
PID 2068 wrote to memory of 2780	2068	0ebefc9744bef5d707e1dfd9d30bfd95.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0ebefc9744bef5d707e1dfd9d30bfd95.exe
"C:\Users\Admin\AppData\Local\Temp\0ebefc9744bef5d707e1dfd9d30bfd95.exe"
1⤵
- Adds Run key to start application
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM MSASCui* /IM avg* /IM ash* /IM McSA*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\del.bat" >> NUL
2⤵
- Deletes itself
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat
Filesize
183B

MD5
b54b202cac79ac3d446cbe206760d715

SHA1
8eea707656f85636f52a1da27a8d5663bf281c96

SHA256
7679ba8f6052542010671670cbe73c469c318942b26be220015ccfd18f26c9c3

SHA512
11029137f6aa32ba95adf9b614b0012546811cd9dc4d6662f2264787c83eb105a604b1a0e8bca86661f911657cdd5d8d574146174e3b34d57b53aa6a5451407b

Download Submit
memory/2068-8-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-10-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-4-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-5-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-6-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-0-0x00000000002B0000-0x00000000002B4000-memory.dmp

Filesize
16KB

Download
memory/2068-9-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-2-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-11-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-13-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-14-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-15-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-1-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-19-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads