53b4cb5b5078fc52c255a996e1870dabff9cd5a16af0103fb4807abf43a9cc4f

General

Target

1635b9e8e8903dd722f55536133cb1fd.exe
Size

169KB
MD5

1635b9e8e8903dd722f55536133cb1fd
SHA1

8789cd379d3d32b58ce55b6eec325e0b8f83c91c
SHA256

53b4cb5b5078fc52c255a996e1870dabff9cd5a16af0103fb4807abf43a9cc4f
SHA512

345a967c038e581008afc784b44bdaaf9e5ee1a98c9441f32c6da33caa4d8cf3db5558f4eced75b2b0a3d1d038829e3ce9807ae74914af3a929516f832cb8465
SSDEEP

3072:Vmy+mLhvDdC4psqLDSysGKrO7QqU/W9ffr1o0PyL0Kmnmw1zgsZVySHoUWIf:0y9O4G7rO7Qq+WNa0Y0znmAz3ian/f

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\6A4C8\\558A2.exe"	1635b9e8e8903dd722f55536133cb1fd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-1-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2224-4-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2224-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2928-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2172-86-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2172-85-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2224-88-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2224-191-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2928	2224	1635b9e8e8903dd722f55536133cb1fd.exe	28
PID 2224 wrote to memory of 2928	2224	1635b9e8e8903dd722f55536133cb1fd.exe	28
PID 2224 wrote to memory of 2928	2224	1635b9e8e8903dd722f55536133cb1fd.exe	28
PID 2224 wrote to memory of 2928	2224	1635b9e8e8903dd722f55536133cb1fd.exe	28
PID 2224 wrote to memory of 2172	2224	1635b9e8e8903dd722f55536133cb1fd.exe	30
PID 2224 wrote to memory of 2172	2224	1635b9e8e8903dd722f55536133cb1fd.exe	30
PID 2224 wrote to memory of 2172	2224	1635b9e8e8903dd722f55536133cb1fd.exe	30
PID 2224 wrote to memory of 2172	2224	1635b9e8e8903dd722f55536133cb1fd.exe	30

C:\Users\Admin\AppData\Local\Temp\1635b9e8e8903dd722f55536133cb1fd.exe
"C:\Users\Admin\AppData\Local\Temp\1635b9e8e8903dd722f55536133cb1fd.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\1635b9e8e8903dd722f55536133cb1fd.exe
  C:\Users\Admin\AppData\Local\Temp\1635b9e8e8903dd722f55536133cb1fd.exe startC:\Program Files (x86)\LP\A226\AA8.exe%C:\Program Files (x86)\LP\A226
  2⤵
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\1635b9e8e8903dd722f55536133cb1fd.exe
  C:\Users\Admin\AppData\Local\Temp\1635b9e8e8903dd722f55536133cb1fd.exe startC:\Program Files (x86)\C8A96\lvvm.exe%C:\Program Files (x86)\C8A96
  2⤵
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6A4C8\8A96.A4C

Filesize
300B

MD5
f427664ecf095d641eccdc81957b75b6

SHA1
fbe2bd7ef681e5e3168dd25d470389d9968fc195

SHA256
90b4fc0440d726ae41cf3761da689efce18e1e3b2ac76b00c42ae77cf3e8a842

SHA512
e2aaaf2a085ffe5d0de4715f4ad6c6ff625971fe6992a816c6518c03532d843449bd35012be6c9fe122c6a667297296626c4f60cb6d76712b0af237d4e35a4f3

Download Submit
C:\Users\Admin\AppData\Roaming\6A4C8\8A96.A4C

Filesize
1KB

MD5
0c28c896b0cda2f91190a868425282e6

SHA1
5a875b3acda8a593648b315130a19b33515fb271

SHA256
27080556848abf31f3f78e9c78637f10d5e3a73958072790c14d2b2e504ebe3e

SHA512
88abaecc0d7f7e4307f71a854b23f9ab0f3390144534b11f3449cce9819bb95dcfdb46fd9241ef3d6412ee3a5eb2c5685eb84d855dd3bfc45093538583026447

Download Submit
C:\Users\Admin\AppData\Roaming\6A4C8\8A96.A4C

Filesize
600B

MD5
cd20796a931ab2e967779f3993dc7a6a

SHA1
a7cdc872f0980cb73a9e921b5803c7b6479d5a51

SHA256
da74a4866fb2cb57e80a71430e82c3e33acf6ceb8e6766d14e985de84ad0cc33

SHA512
715bebf7e96d4689e11aac49312de3e033a8d86e5c6438c2414c4ba3c2f89dbf98977b84b1fbffbc23b92e1f4313eed7b93a6948a396fef238049a7447e1979f

Download Submit
C:\Users\Admin\AppData\Roaming\6A4C8\8A96.A4C

Filesize
996B

MD5
4f2a9ac713f055feed7b65f3492b95b6

SHA1
ec51ab90393dcf7ed7bff0427389b0646a9ea260

SHA256
d510aca739ee9654d1f8339ddb0ea808525999bc1215644387432a06e05d87da

SHA512
0d036f4d28c9ec323aed7fc33e856b023f9fded92b80bde0516ab88d89981f428ff97a7d278cd1c6b0637cf830869c25edaa9e7ce74b8d014d7718e36daf9e10

Download Submit
memory/2172-86-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2172-85-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2172-87-0x0000000001E60000-0x0000000001F60000-memory.dmp

Filesize
1024KB

Download
memory/2172-154-0x0000000001E60000-0x0000000001F60000-memory.dmp

Filesize
1024KB

Download
memory/2224-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2224-1-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2224-88-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2224-4-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2224-2-0x0000000001F10000-0x0000000002010000-memory.dmp

Filesize
1024KB

Download
memory/2224-191-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2928-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2928-17-0x0000000001F10000-0x0000000001F8B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads