786649865ae689a192f0be9c587fa810bbc43a0e6c1fb85bcc9a16f13cd7dcf0

General

Target

597338975e363dee4a6074ca3b0558a4.exe
Size

553KB
MD5

597338975e363dee4a6074ca3b0558a4
SHA1

15fa3b3bd8ad38e7068289a7265f06c87e372dc5
SHA256

786649865ae689a192f0be9c587fa810bbc43a0e6c1fb85bcc9a16f13cd7dcf0
SHA512

ae8179c1ea574474de05455f1176d12ddf1251b1bb0a712dbb11dcddbd1e26511ebdd5cdebbbdfb271f01640d111a5ad608f4355ccf5aae7bfdb1ec97d0d95e7
SSDEEP

12288:RPghtCL/iDQNyY7WtmBakSUOPvBCUAtcs:GhtQqDQNITkTOnB/s

Score

7^/10

spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/memory/2736-30-0x0000000060220000-0x0000000060229000-memory.dmp	acprotect
behavioral1/memory/2736-26-0x0000000060220000-0x0000000060229000-memory.dmp	acprotect
behavioral1/files/0x0009000000015daa-24.dat	acprotect
behavioral1/files/0x0007000000015d20-21.dat	acprotect
behavioral1/files/0x0007000000015cbc-18.dat	acprotect
behavioral1/files/0x000d000000012301-16.dat	acprotect
behavioral1/files/0x0033000000015c75-14.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2736	Firefox.exe

Loads dropped DLL 5 IoCs

pid	Process
2736	Firefox.exe
2736	Firefox.exe
2736	Firefox.exe
2736	Firefox.exe
2736	Firefox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2736-30-0x0000000060220000-0x0000000060229000-memory.dmp	upx
behavioral1/memory/2736-31-0x0000000060260000-0x00000000602BF000-memory.dmp	upx
behavioral1/memory/2736-29-0x0000000060210000-0x000000006021A000-memory.dmp	upx
behavioral1/memory/2736-28-0x0000000060140000-0x000000006016D000-memory.dmp	upx
behavioral1/memory/2736-27-0x0000000060260000-0x00000000602BF000-memory.dmp	upx
behavioral1/memory/2736-26-0x0000000060220000-0x0000000060229000-memory.dmp	upx
behavioral1/memory/2736-25-0x0000000060210000-0x000000006021A000-memory.dmp	upx
behavioral1/files/0x0009000000015daa-24.dat	upx
behavioral1/memory/2736-23-0x0000000060140000-0x000000006016D000-memory.dmp	upx
behavioral1/files/0x0007000000015d20-21.dat	upx
behavioral1/memory/2736-20-0x0000000060170000-0x00000000601D7000-memory.dmp	upx
behavioral1/files/0x0007000000015cbc-18.dat	upx
behavioral1/files/0x000d000000012301-16.dat	upx
behavioral1/files/0x0033000000015c75-14.dat	upx

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2736	Firefox.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	597338975e363dee4a6074ca3b0558a4.exe
Token: 33	1984	597338975e363dee4a6074ca3b0558a4.exe
Token: SeIncBasePriorityPrivilege	1984	597338975e363dee4a6074ca3b0558a4.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2360	1984	597338975e363dee4a6074ca3b0558a4.exe	3
PID 1984 wrote to memory of 2360	1984	597338975e363dee4a6074ca3b0558a4.exe	3
PID 1984 wrote to memory of 2360	1984	597338975e363dee4a6074ca3b0558a4.exe	3
PID 2360 wrote to memory of 2736	2360	cmd.exe	1
PID 2360 wrote to memory of 2736	2360	cmd.exe	1
PID 2360 wrote to memory of 2736	2360	cmd.exe	1
PID 2360 wrote to memory of 2736	2360	cmd.exe	1

C:\Users\Admin\AppData\Local\Temp\Firefox.exe
C:\Users\Admin\AppData\Local\Temp\Firefox.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2736

C:\Windows\system32\cmd.exe
"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\Firefox.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\597338975e363dee4a6074ca3b0558a4.exe
"C:\Users\Admin\AppData\Local\Temp\597338975e363dee4a6074ca3b0558a4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Firefox.exe

Filesize
80KB

MD5
867dc5e41ce5efcf6cb6503f9c097078

SHA1
89d08200c9f26d8435575bd3216ad3d2a1ea9ecf

SHA256
2b7e9ccc3ad34a02fe6c96ddacbf0b603c0a17f802444949a34f51baf2cad411

SHA512
ac322f9392f4677c56aee0be1864e74262e8afca8a361ccf146d4dee4283a4c0534505114f00c18d1ed5739608bfbeb746f48d8ecbabf3aa618b342c77f63da3

Download Submit
\Users\Admin\AppData\Local\Temp\nspr4.dll

Filesize
72KB

MD5
72414dfb0b112c664d2c8d1215674e09

SHA1
50a1e61309741e92fe3931d8eb606f8ada582c0a

SHA256
69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

SHA512
41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll

Filesize
172KB

MD5
7ddbd64d87c94fd0b5914688093dd5c2

SHA1
d49d1f79efae8a5f58e6f713e43360117589efeb

SHA256
769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1

SHA512
60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

Download Submit
\Users\Admin\AppData\Local\Temp\plc4.dll

Filesize
8KB

MD5
c73ec58b42e66443fafc03f3a84dcef9

SHA1
5e91f467fe853da2c437f887162bccc6fd9d9dbe

SHA256
2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

SHA512
6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

Download Submit
\Users\Admin\AppData\Local\Temp\plds4.dll

Filesize
6KB

MD5
ee44d5d780521816c906568a8798ed2f

SHA1
2da1b06d5de378cbfc7f2614a0f280f59f2b1224

SHA256
50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

SHA512
634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll

Filesize
155KB

MD5
e846285b19405b11c8f19c1ed0a57292

SHA1
2c20cf37394be48770cd6d396878a3ca70066fd0

SHA256
251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477

SHA512
b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

Download Submit
memory/1984-4-0x0000000000710000-0x0000000000790000-memory.dmp

Filesize
512KB

Download
memory/1984-0-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/1984-1-0x0000000000710000-0x0000000000790000-memory.dmp

Filesize
512KB

Download
memory/1984-2-0x000000001AF30000-0x000000001AFB6000-memory.dmp

Filesize
536KB

Download
memory/1984-32-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/1984-3-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-23-0x0000000060140000-0x000000006016D000-memory.dmp

Filesize
180KB

Download
memory/2736-29-0x0000000060210000-0x000000006021A000-memory.dmp

Filesize
40KB

Download
memory/2736-31-0x0000000060260000-0x00000000602BF000-memory.dmp

Filesize
380KB

Download
memory/2736-30-0x0000000060220000-0x0000000060229000-memory.dmp

Filesize
36KB

Download
memory/2736-28-0x0000000060140000-0x000000006016D000-memory.dmp

Filesize
180KB

Download
memory/2736-20-0x0000000060170000-0x00000000601D7000-memory.dmp

Filesize
412KB

Download
memory/2736-27-0x0000000060260000-0x00000000602BF000-memory.dmp

Filesize
380KB

Download
memory/2736-25-0x0000000060210000-0x000000006021A000-memory.dmp

Filesize
40KB

Download
memory/2736-26-0x0000000060220000-0x0000000060229000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing