673aa7a640923b7eb70953ad011e5b1882ac521c7621652354eb1e0d2e4b6c27

General

Target

4bd81bdb20be2f4a638847fe6e0d5ede.exe
Size

172KB
MD5

4bd81bdb20be2f4a638847fe6e0d5ede
SHA1

b2f1028c6803b037792f6638e544260305b825fc
SHA256

673aa7a640923b7eb70953ad011e5b1882ac521c7621652354eb1e0d2e4b6c27
SHA512

8075e340748e24a2d11cf7e565230fb61606ad201a0a23f4bfb87949dd6c3d7be6e42c83e4859c82f55f36bfce9e6486a1e06c50be7aa6f8e02e08da0bef6ceb
SSDEEP

3072:woPnT/DOjlc9RPjRw2aa4XTolVpnvPDB/9XgCDuyEr/Ox4wNpxY0AgGkCv:wsTCRc3PSamOpnjHvuNS9v3wZv

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\F978B\\08076.exe"	4bd81bdb20be2f4a638847fe6e0d5ede.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5060-1-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3008-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3008-12-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5060-73-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2548-171-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2548-170-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5060-173-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5060-286-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5060-289-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5060-290-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3008	5060	4bd81bdb20be2f4a638847fe6e0d5ede.exe	91
PID 5060 wrote to memory of 3008	5060	4bd81bdb20be2f4a638847fe6e0d5ede.exe	91
PID 5060 wrote to memory of 3008	5060	4bd81bdb20be2f4a638847fe6e0d5ede.exe	91
PID 5060 wrote to memory of 2548	5060	4bd81bdb20be2f4a638847fe6e0d5ede.exe	99
PID 5060 wrote to memory of 2548	5060	4bd81bdb20be2f4a638847fe6e0d5ede.exe	99
PID 5060 wrote to memory of 2548	5060	4bd81bdb20be2f4a638847fe6e0d5ede.exe	99

C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe
"C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe
  C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe startC:\Program Files (x86)\LP\768F\D20.exe%C:\Program Files (x86)\LP\768F
  2⤵
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe
  C:\Users\Admin\AppData\Local\Temp\4bd81bdb20be2f4a638847fe6e0d5ede.exe startC:\Program Files (x86)\8B07E\lvvm.exe%C:\Program Files (x86)\8B07E
  2⤵
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F978B\B07E.978

Filesize
996B

MD5
ec6adc32bb8a8467bd92085657e8f1e8

SHA1
164fa73818507f310ec2bdb6d530b5423e035127

SHA256
a3c649feed74524b754a34c5f10a235b5696455f48acdb73348920c465540f26

SHA512
923a0afaaf82fef8a7e3f9fb58c00d474b86bc4af979189872603cad26a3c623d5beb4056c40d1c9f1071252b3ec02f2e315e02ac5948c94c7a209ca3e3117b5

Download Submit
C:\Users\Admin\AppData\Roaming\F978B\B07E.978

Filesize
600B

MD5
abd68e723e675b35af1c372f851e084c

SHA1
2d5c834c6a543915054719ac72cc2e911e9a1e8e

SHA256
0c3fb5504ebbaacd54294ecf7da976fb7da72c40fa5cc2ab1b6e919c5931d2f0

SHA512
da808f6f94c215bd509e3c0aabb467713ccbf7ee77108b5c24a198ede1aa2aa1f895dd342e0b7e6e7a7cda9a346bc3676d18a6381166d1ce0a6593625d07c804

Download Submit
C:\Users\Admin\AppData\Roaming\F978B\B07E.978

Filesize
300B

MD5
bf1b7b519d8898da4391daa3583575e3

SHA1
1b6bc5b861ad389c568816547eeb2d8f9859adce

SHA256
12c20905c1ee461c1c87d1a148f14c7223aaa4503a81b6e002f28ebb1b2438f2

SHA512
a5d8eea5959c7ec46b2e1ab232e4e4aeef6478e3ea5dd0f42f6dbe8559c3027e4e64efc7684951a145a011c1e92b6a878c83750e17a96627424f93b577507c96

Download Submit
memory/2548-172-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/2548-171-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2548-170-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3008-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3008-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3008-13-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/5060-73-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5060-2-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/5060-173-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5060-1-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5060-281-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/5060-286-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5060-289-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5060-290-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads