7f5db97c477e0feb45031d61b6cb1a54da2e38afe6228db68ff0363445da8b55

General

Target

795b658d0b24ee576ffcaecfca6e0e7d.exe
Size

170KB
MD5

795b658d0b24ee576ffcaecfca6e0e7d
SHA1

b546d3c58eb6a3a9ca82ed18d3969706474934a1
SHA256

7f5db97c477e0feb45031d61b6cb1a54da2e38afe6228db68ff0363445da8b55
SHA512

4d4f8d95bd6a4fea71e761b8306d7fbd9f47f3c0d6f3a682ca52be047ecca62cf7910d41f2e29784575c5035ada0713261f4adbb935afb2029821271efe660e5
SSDEEP

3072:DfLLXNjFCwEAHNcwNbBCcPcI3ZdlF1LS5aFZ0q4PMiXL8sUDIgqhloQt:bX9B1EAHawNlNp3/v1WMUtkiUW

Score

7^/10

aspackv2 spyware stealer

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\pw.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

pw.exe

pid process

1600 pw.exe
Executes dropped EXE 1 IoCs

Processes:

pw.exe

pid process

1600 pw.exe
Loads dropped DLL 2 IoCs

Processes:

795b658d0b24ee576ffcaecfca6e0e7d.exe

pid process

1720 795b658d0b24ee576ffcaecfca6e0e7d.exe
1720 795b658d0b24ee576ffcaecfca6e0e7d.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1600	pw.exe

pid	process
1600	pw.exe

pid	process
1720	795b658d0b24ee576ffcaecfca6e0e7d.exe
1720	795b658d0b24ee576ffcaecfca6e0e7d.exe

Modifies registry class 36 IoCs

Processes:

pw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\open	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\Content Type = "application/x-msdownload"	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\ = "pezfile"	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\ = "Application"	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\runas\command\ = "\"%1\" %*"	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\DefaultIcon	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\pw.exe\" /START \"%1\" %*"	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\start\command	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon\ = "%1"	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\start\command	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*"	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\open\command\IsolatedCommand = "\"%1\" %*"	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\start\command\ = "\"%1\" %*"	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\start	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\start	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*"	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\Content Type = "application/x-msdownload"	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\DefaultIcon\ = "%1"	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\runas\command	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\pw.exe\" /START \"%1\" %*"	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\open\command	pw.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\runas	pw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\start\command\IsolatedCommand = "\"%1\" %*"	pw.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pw.exe

pid process

1600 pw.exe
1600 pw.exe
1600 pw.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pw.exe

pid process

1600 pw.exe
1600 pw.exe
1600 pw.exe

pid	process
1600	pw.exe
1600	pw.exe
1600	pw.exe

pid	process
1600	pw.exe
1600	pw.exe
1600	pw.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

795b658d0b24ee576ffcaecfca6e0e7d.exe

description	pid	process	target process
PID 1720 wrote to memory of 1600	1720	795b658d0b24ee576ffcaecfca6e0e7d.exe	pw.exe
PID 1720 wrote to memory of 1600	1720	795b658d0b24ee576ffcaecfca6e0e7d.exe	pw.exe
PID 1720 wrote to memory of 1600	1720	795b658d0b24ee576ffcaecfca6e0e7d.exe	pw.exe
PID 1720 wrote to memory of 1600	1720	795b658d0b24ee576ffcaecfca6e0e7d.exe	pw.exe

C:\Users\Admin\AppData\Local\Temp\795b658d0b24ee576ffcaecfca6e0e7d.exe
"C:\Users\Admin\AppData\Local\Temp\795b658d0b24ee576ffcaecfca6e0e7d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\pw.exe
"C:\Users\Admin\AppData\Local\pw.exe" /GAV C:\Users\Admin\AppData\Local\Temp\795b658d0b24ee576ffcaecfca6e0e7d.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\pw.exe
Filesize
170KB

MD5
795b658d0b24ee576ffcaecfca6e0e7d

SHA1
b546d3c58eb6a3a9ca82ed18d3969706474934a1

SHA256
7f5db97c477e0feb45031d61b6cb1a54da2e38afe6228db68ff0363445da8b55

SHA512
4d4f8d95bd6a4fea71e761b8306d7fbd9f47f3c0d6f3a682ca52be047ecca62cf7910d41f2e29784575c5035ada0713261f4adbb935afb2029821271efe660e5

Download Submit
memory/1600-20-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-27-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-21-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-23-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-22-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-33-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-16-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-18-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-19-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-30-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-29-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-28-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-26-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-24-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1600-25-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1720-5-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1720-3-0x0000000000250000-0x0000000000276000-memory.dmp

Filesize
152KB

Download
memory/1720-0-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1720-2-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1720-1-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1720-15-0x0000000002610000-0x0000000002745000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads