a5574d4791492293674dddbb259309a2cdb24471103484a0882f3c076a7cc1ef

General

Target

2b1432ef93e6466c27d4ac59028ee254.exe
Size

165KB
MD5

2b1432ef93e6466c27d4ac59028ee254
SHA1

e7a68440a69e99033e6ba2ca9fa19ab931584c28
SHA256

a5574d4791492293674dddbb259309a2cdb24471103484a0882f3c076a7cc1ef
SHA512

c694cf1b9cc2ad6bcbbad4cacc7bd2d94cf49231bde87ff47688c5bcc758f31fd458df01cb3fb4c569932d8c25246e0f60584090a162d888e59b6841ee0e38a5
SSDEEP

3072:aAWT36du5VmyT4gLHz7iFm6Y+HD6I4Ich4yqiDQkfnoFa4uX2:avr6du5VrTfznLgJiXvTf4aP

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\3A4AB\\91D95.exe"	2b1432ef93e6466c27d4ac59028ee254.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2968-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2732-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2968-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2968-131-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1900-132-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2968-262-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2732	2968	2b1432ef93e6466c27d4ac59028ee254.exe	28
PID 2968 wrote to memory of 2732	2968	2b1432ef93e6466c27d4ac59028ee254.exe	28
PID 2968 wrote to memory of 2732	2968	2b1432ef93e6466c27d4ac59028ee254.exe	28
PID 2968 wrote to memory of 2732	2968	2b1432ef93e6466c27d4ac59028ee254.exe	28
PID 2968 wrote to memory of 1900	2968	2b1432ef93e6466c27d4ac59028ee254.exe	30
PID 2968 wrote to memory of 1900	2968	2b1432ef93e6466c27d4ac59028ee254.exe	30
PID 2968 wrote to memory of 1900	2968	2b1432ef93e6466c27d4ac59028ee254.exe	30
PID 2968 wrote to memory of 1900	2968	2b1432ef93e6466c27d4ac59028ee254.exe	30

C:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exe
"C:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exe
  C:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exe startC:\Program Files (x86)\LP\9563\D9A.exe%C:\Program Files (x86)\LP\9563
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exe
  C:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exe startC:\Program Files (x86)\AB5DA\lvvm.exe%C:\Program Files (x86)\AB5DA
  2⤵
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3A4AB\B5DA.A4A

Filesize
996B

MD5
da98c6c6f47ee6604164f90f9c01d19a

SHA1
11b42cfe5b9ccdb8e19743838cb2ba125a8081dd

SHA256
ee589b65892e452191ffef193c909680e6b67ccd4cd9bfee0e4f2e6ddba79a2e

SHA512
a93e053c989733cedba3f7435db5592b5953140b603f1c18fbb199d9c8488b4ea8ddb9af3cd696005519c79180ef5d8026b3a1738110c04c549faf653f146752

Download Submit
C:\Users\Admin\AppData\Roaming\3A4AB\B5DA.A4A

Filesize
600B

MD5
2464bbaa0478cbeff78d8eaef10e41aa

SHA1
a6751afe01cf70ffc0602ba582e9e31821c82eeb

SHA256
ebbbf432082e1ea0d2d6054ddda8137af2334575af0dc7e37293a4d037eca0ae

SHA512
e8e7edfff501c9824e6e2a0f3de36db9e3a2e919df57aaf0943e0ea7a67e62e5f9de8382c1c30bd0ef37a31c997731c19b241eda18de41c0a9ccf861ca38bf4a

Download Submit
C:\Users\Admin\AppData\Roaming\3A4AB\B5DA.A4A

Filesize
1KB

MD5
945f0e1fc486aed85c5af159d3fdf7da

SHA1
103df552e8cee5aec6a86d888d013ee459c293ca

SHA256
a41484772fb9117cd068d95a53d615255d0c85e19dab026c374b18b42e5977cb

SHA512
fb2ce4071ca9fff89ac12ba6339ff5c64036fd163d63d9d19e9bc60df53030ed86bdd2ac90e03670ba24b7de5783ca4513676b48d64eca85d80acb747e39d0d9

Download Submit
memory/1900-133-0x000000000029B000-0x00000000002B2000-memory.dmp

Filesize
92KB

Download
memory/1900-132-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2732-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2732-16-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2968-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2968-131-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2968-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2968-134-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2968-4-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2968-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2968-262-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads