3e3d076b7cf6b25043b23cffc19d680eb3d232c6d680f67c06fb607297320168

General

Target

879a7d3dfe5891acedbeb79ecb66161b.exe
Size

210KB
MD5

879a7d3dfe5891acedbeb79ecb66161b
SHA1

1644ffc76f698c49376113ad8736db7663fb9683
SHA256

3e3d076b7cf6b25043b23cffc19d680eb3d232c6d680f67c06fb607297320168
SHA512

ae060edaec80e3874b0a20e5b0a51aeee7d6f43f4957e31ccbb819fc65d74e9a2f2c1f2991523c683289ef86761f1ae98d0e311706107fcfb1bf200fe71e463b
SSDEEP

3072:nKnh2p1osZBKfZcdYKzl4Of98uLotDhU9RObZQRFs5Oc3FY4MB8htN2hOs:ngcQZwJ4OV8ioB+9oZQRFI1Y4+th

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\shell.exe"	879a7d3dfe5891acedbeb79ecb66161b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1888-3-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2796-4-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2796-5-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1888-8-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2808-9-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1888-131-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2796	1888	879a7d3dfe5891acedbeb79ecb66161b.exe	28
PID 1888 wrote to memory of 2796	1888	879a7d3dfe5891acedbeb79ecb66161b.exe	28
PID 1888 wrote to memory of 2796	1888	879a7d3dfe5891acedbeb79ecb66161b.exe	28
PID 1888 wrote to memory of 2796	1888	879a7d3dfe5891acedbeb79ecb66161b.exe	28
PID 1888 wrote to memory of 2808	1888	879a7d3dfe5891acedbeb79ecb66161b.exe	30
PID 1888 wrote to memory of 2808	1888	879a7d3dfe5891acedbeb79ecb66161b.exe	30
PID 1888 wrote to memory of 2808	1888	879a7d3dfe5891acedbeb79ecb66161b.exe	30
PID 1888 wrote to memory of 2808	1888	879a7d3dfe5891acedbeb79ecb66161b.exe	30

C:\Users\Admin\AppData\Local\Temp\879a7d3dfe5891acedbeb79ecb66161b.exe
"C:\Users\Admin\AppData\Local\Temp\879a7d3dfe5891acedbeb79ecb66161b.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\879a7d3dfe5891acedbeb79ecb66161b.exe
  C:\Users\Admin\AppData\Local\Temp\879a7d3dfe5891acedbeb79ecb66161b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\879a7d3dfe5891acedbeb79ecb66161b.exe
  C:\Users\Admin\AppData\Local\Temp\879a7d3dfe5891acedbeb79ecb66161b.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
1KB

MD5
e17dbc37f4276cc71b13119ed93df91e

SHA1
42d4255de218d0a366a9e3f0764b6636046aedb9

SHA256
925b54daf3a51f63d5d3cf147059a236e0402fd1dfc9076a53cbf1d1a77c5697

SHA512
d74103bd95942229b1678719e7a7dce018c18fec8f11527a7bab8f8b8f33ac245fe565411483f3ed7be95c1bb163052686e3b80b09e5531de65e5205380d5624

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
396B

MD5
0a86c9bc606cb0dc2fa9c3842738597e

SHA1
ad1e8a8b8113c9a0bf11328397e80b50eef88b8f

SHA256
36b1e2a415bf3dab7491045a30c5e34cef6c4b678d0f37c48d5f78969d99eb9d

SHA512
2eed84377d9c9c28c42210d9bab91b6ea01e87c011db6842bad7b9a955186edc8f1724f3c4ac01dffc6a9108d127f90eac806796b8f2d6f34c6ad4f25d33800a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
792B

MD5
8060f9f7e5274340cfd0cd612615adbe

SHA1
44cc3f9f0111cb3ebc10106ce9b91ac4568f8bca

SHA256
eaedcea9a897cdb5d59a1fbf402de2339631d323743fae6ac274f73b90256a41

SHA512
a909d41e118748739cdb0a671c5551ce89858580cae485d32ce8955300d13ec77814174b06a5aaebae2b62d1119ac206827a55de32e03e9b469d38a71c2fe36d

Download Submit
memory/1888-0-0x0000000000240000-0x0000000000272000-memory.dmp

Filesize
200KB

Download
memory/1888-1-0x0000000000300000-0x0000000000319000-memory.dmp

Filesize
100KB

Download
memory/1888-3-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1888-8-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1888-131-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2796-4-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2796-5-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2808-9-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads