e1e370c5919eddb3eedd7ae80e5fea3d4351eb1021b2fc1498bae119281523f8

General

Target

55a7c195cc86ef43ca9d4f31a365e1e1.exe
Size

167KB
MD5

55a7c195cc86ef43ca9d4f31a365e1e1
SHA1

fa68d4559b60decaa36e979eced4d7e894c2baa6
SHA256

e1e370c5919eddb3eedd7ae80e5fea3d4351eb1021b2fc1498bae119281523f8
SHA512

7c23b2d8fe3693249b0f751c021f4a146727213d4dfd3c09ca1cbd5099a3f68a3f675e93c61169389a4e2c4af428603d854ce3a31524b1134d7441a1357a4951
SSDEEP

3072:a5R/szzKITrAtHJcs9HlkMXCbHTeq9I+Qzn7eP4DNCZpTu8kyxdyIz1HrE:MMzKiEtCgFkA4Cq9I+dADoZpTumz5rE

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	55a7c195cc86ef43ca9d4f31a365e1e1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2956-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/3036-7-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/3036-8-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2956-79-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1836-80-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2956-82-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1836-156-0x00000000005B0000-0x00000000006B0000-memory.dmp	upx
behavioral1/memory/2956-183-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2956-184-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 3036	2956	55a7c195cc86ef43ca9d4f31a365e1e1.exe	28
PID 2956 wrote to memory of 3036	2956	55a7c195cc86ef43ca9d4f31a365e1e1.exe	28
PID 2956 wrote to memory of 3036	2956	55a7c195cc86ef43ca9d4f31a365e1e1.exe	28
PID 2956 wrote to memory of 3036	2956	55a7c195cc86ef43ca9d4f31a365e1e1.exe	28
PID 2956 wrote to memory of 1836	2956	55a7c195cc86ef43ca9d4f31a365e1e1.exe	30
PID 2956 wrote to memory of 1836	2956	55a7c195cc86ef43ca9d4f31a365e1e1.exe	30
PID 2956 wrote to memory of 1836	2956	55a7c195cc86ef43ca9d4f31a365e1e1.exe	30
PID 2956 wrote to memory of 1836	2956	55a7c195cc86ef43ca9d4f31a365e1e1.exe	30

C:\Users\Admin\AppData\Local\Temp\55a7c195cc86ef43ca9d4f31a365e1e1.exe
"C:\Users\Admin\AppData\Local\Temp\55a7c195cc86ef43ca9d4f31a365e1e1.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\55a7c195cc86ef43ca9d4f31a365e1e1.exe
  C:\Users\Admin\AppData\Local\Temp\55a7c195cc86ef43ca9d4f31a365e1e1.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\55a7c195cc86ef43ca9d4f31a365e1e1.exe
  C:\Users\Admin\AppData\Local\Temp\55a7c195cc86ef43ca9d4f31a365e1e1.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5E5F.AB0

Filesize
597B

MD5
669bfebf6350009e1198de0e4c4e1c77

SHA1
62b25e5a864650cd5401f1cf34239d92e29bd802

SHA256
d12e0fa92e99bf0c3f1810e5b8f1db8cdd4662d0052242372b85250d0e2e71d6

SHA512
de69c18701c7f943e81bd6c1268adef3ae12966f49e30036d496726e136dceb9d88ff861afee76f39825c8ff9dcd60bd2dd7074b1b34339b0f06a8cfe3b6114b

Download Submit
C:\Users\Admin\AppData\Roaming\5E5F.AB0

Filesize
1KB

MD5
b05e2f8256c505924a29d39244b832e5

SHA1
64d40ce40007923dc044c0f9b15ce54b3ebf9231

SHA256
cb574a350837d9649de5715073f50a52ea7d01e2eac96a46c9a6e4177d290230

SHA512
a0b4e7aa946806dd293b314a56bfd10d41890c1e8a75884bc7b9b2ed70a5d8f2da3c8f1acf9d22fe81bf2e9d8a4d2076b236e6c6c988134bac04c29f0483eed3

Download Submit
C:\Users\Admin\AppData\Roaming\5E5F.AB0

Filesize
897B

MD5
0cee347aae69c44f0f44e8a12ab386a1

SHA1
5d4d7c84b00f017c6584719b6e014623f342958d

SHA256
166fc1ec424612cc3580b7f6de182d78400688ccca71f3d666e3fd6921b86578

SHA512
a0eb4d7927c5aa171bc87b93eddea3cfbbf35d77478cd1445aba7b73c48d486f92b89681c86a7559d80d0be91ae25d1bcdeaa142dfcdc15e967c1070ef519347

Download Submit
C:\Users\Admin\AppData\Roaming\5E5F.AB0

Filesize
1KB

MD5
d13982ae330a1ab69d989c9b6b6ac04f

SHA1
09031e9dd66a4253ba03c8e0eef03545977afe37

SHA256
d7520d3ecbcb3b82378c9b7d86d888fe385857746db87a1168a61ac8b95e7f71

SHA512
d45585affdc59d7e71fe8a2f58f3d6e4b4007829747d137221995bd0a5108a14873b2147dbeb79c0f3670f705a9a7e449b525b43be7d2ed46c016e9ccdcb8788

Download Submit
memory/1836-156-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1836-81-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1836-80-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2956-83-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2956-79-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2956-82-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2956-3-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2956-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2956-183-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2956-184-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3036-8-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3036-9-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/3036-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads