673aa7a640923b7eb70953ad011e5b1882ac521c7621652354eb1e0d2e4b6c27

General

Target

4bd81bdb20be2f4a638847fe6e0d5ede.exe
Size

172KB
MD5

4bd81bdb20be2f4a638847fe6e0d5ede
SHA1

b2f1028c6803b037792f6638e544260305b825fc
SHA256

673aa7a640923b7eb70953ad011e5b1882ac521c7621652354eb1e0d2e4b6c27
SHA512

8075e340748e24a2d11cf7e565230fb61606ad201a0a23f4bfb87949dd6c3d7be6e42c83e4859c82f55f36bfce9e6486a1e06c50be7aa6f8e02e08da0bef6ceb
SSDEEP

3072:woPnT/DOjlc9RPjRw2aa4XTolVpnvPDB/9XgCDuyEr/Ox4wNpxY0AgGkCv:wsTCRc3PSamOpnjHvuNS9v3wZv

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\00466\\176F1.exe"	4bd81bdb20be2f4a638847fe6e0d5ede.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2796-1-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2796-4-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2588-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2588-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2796-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2796-112-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/704-116-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/704-115-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/704-232-0x00000000006C0000-0x00000000007C0000-memory.dmp	upx
behavioral1/memory/2796-235-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2588	2796	4bd81bdb20be2f4a638847fe6e0d5ede.exe	29
PID 2796 wrote to memory of 2588	2796	4bd81bdb20be2f4a638847fe6e0d5ede.exe	29
PID 2796 wrote to memory of 2588	2796	4bd81bdb20be2f4a638847fe6e0d5ede.exe	29
PID 2796 wrote to memory of 2588	2796	4bd81bdb20be2f4a638847fe6e0d5ede.exe	29
PID 2796 wrote to memory of 704	2796	4bd81bdb20be2f4a638847fe6e0d5ede.exe	31
PID 2796 wrote to memory of 704	2796	4bd81bdb20be2f4a638847fe6e0d5ede.exe	31
PID 2796 wrote to memory of 704	2796	4bd81bdb20be2f4a638847fe6e0d5ede.exe	31
PID 2796 wrote to memory of 704	2796	4bd81bdb20be2f4a638847fe6e0d5ede.exe	31

C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe
"C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe
  C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe startC:\Program Files (x86)\LP\F170\00A.exe%C:\Program Files (x86)\LP\F170
  2⤵
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe
  C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe startC:\Program Files (x86)\666EA\lvvm.exe%C:\Program Files (x86)\666EA
  2⤵
  PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\00466\66EA.046

Filesize
996B

MD5
f9753284166dd24452e070f77c295cb2

SHA1
a24874e22e9a1e9456692c975dada46c5c39d680

SHA256
6dd00b32bcec8c145a0aaed0556b0eb61142d6698e5725ba098689858bd06aaf

SHA512
129fcd18e9f8e1f8a2f839d5479213433e96cb47a0c77388aa3610e4aa5568a155d6099aaabac39421923348745fa10512a9326329ed6c3ea90f61726a1299eb

Download Submit
C:\Users\Admin\AppData\Roaming\00466\66EA.046

Filesize
600B

MD5
8db7f305151ccf3fdbea0327aaaaa39f

SHA1
57a066ffdefb7e19fbc7cab3867eaea26999fa95

SHA256
7f25ab0eb04efaf5b5ca5975571fd4625e0b68853c0f68ab03ad5eafdddef8b8

SHA512
84e36be61483eeb20cccb4f21eeea61a40c82fc8e98dfab30b95b21de03f747529726d7ffde8d5bd9dcee0f7b379501d77474401114db43cbdfbb5aa42b88b25

Download Submit
C:\Users\Admin\AppData\Roaming\00466\66EA.046

Filesize
1KB

MD5
4692ec4556295a1dafdf5c4e9a7d92f7

SHA1
c43cacd800834d6fcc1166172a4da00599e78a5a

SHA256
585e885a398e2d79791c5a5a95627a83031ae194ab8194aa7680c514e4a702a3

SHA512
d8fc256d6964fe6c4a08dc102189adc638a179ee78d472fd8fc59c00ae5298f95c62666b7c4c28afce8fdf6a6a44b25b730108ee83e5d0112c77f0ec162287fe

Download Submit
memory/704-232-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/704-117-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/704-115-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/704-116-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2588-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2588-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2588-14-0x0000000001E30000-0x0000000001F30000-memory.dmp

Filesize
1024KB

Download
memory/2796-112-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2796-113-0x0000000001F30000-0x0000000002030000-memory.dmp

Filesize
1024KB

Download
memory/2796-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2796-1-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2796-4-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2796-2-0x0000000001F30000-0x0000000002030000-memory.dmp

Filesize
1024KB

Download
memory/2796-235-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads