7df76a319373b547219b28e7222c97527bf6589ca2fa617e683517e98978d059

General

Target

878c566de276df6679ec513a6450f4b2.exe
Size

185KB
MD5

878c566de276df6679ec513a6450f4b2
SHA1

f2034a88a23cc38d6bf6aa8faa9173bc6b715b50
SHA256

7df76a319373b547219b28e7222c97527bf6589ca2fa617e683517e98978d059
SHA512

7257d443497fb78933208f5ae61e969dcd0eb46478901b2666e7299e3a5bee2e5a40396dbf4a03d693bf0e416ab7ba8160b81ed31fa0b497e606d80fb25cc867
SSDEEP

3072:3k1qCmOEVlxJJLf8Lk8TpUjwIdunWQrHbMsKJDVHi+mvUQwKizTDLyn6OYBQfmzN:3k1ZmOgxJJ43dOdunX7MPJDVC+g6zjaG

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	878c566de276df6679ec513a6450f4b2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1056-1-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/1056-2-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/1056-3-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/1056-4-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/1056-5-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/1056-6-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/1056-9-0x0000000000400000-0x0000000000495000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WINAG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\878c566de276df6679ec513a6450f4b2.exe /cs:1 "	878c566de276df6679ec513a6450f4b2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINAG = "\"C:\\4f534f8\\WinADGuard.exe\" /s"	878c566de276df6679ec513a6450f4b2.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\	878c566de276df6679ec513a6450f4b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3136	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 3136	1056	878c566de276df6679ec513a6450f4b2.exe	87
PID 1056 wrote to memory of 3136	1056	878c566de276df6679ec513a6450f4b2.exe	87
PID 1056 wrote to memory of 3136	1056	878c566de276df6679ec513a6450f4b2.exe	87
PID 1056 wrote to memory of 4864	1056	878c566de276df6679ec513a6450f4b2.exe	97
PID 1056 wrote to memory of 4864	1056	878c566de276df6679ec513a6450f4b2.exe	97
PID 1056 wrote to memory of 4864	1056	878c566de276df6679ec513a6450f4b2.exe	97

C:\Users\Admin\AppData\Local\Temp\878c566de276df6679ec513a6450f4b2.exe
"C:\Users\Admin\AppData\Local\Temp\878c566de276df6679ec513a6450f4b2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM MSASCui* /IM avg* /IM ash* /IM McSA*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\del.bat" >> NUL
  2⤵
  PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
183B

MD5
822e76592870b80729cf9824146a042d

SHA1
d1b4b6e5cc9de93cc653df6c277cf47727c6b79f

SHA256
f38d8764fb335a2d68dae5f73a26d21639ab0a43508a3f9ce28f60c1f930d445

SHA512
a32001b5269e06f1d424d9ebc30ba60930ab790e0d863970dc482b877f3694bf6f6401b335793ff85cf3047356560f9c8b5781a8d5aa170228794b8079bf2e5e

Download Submit
memory/1056-0-0x00000000020B0000-0x00000000020DB000-memory.dmp

Filesize
172KB

Download
memory/1056-1-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1056-2-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1056-3-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1056-4-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1056-5-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1056-6-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1056-9-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads