629f5e5c5caa8dd385801b53682dc30281cc65b7cbff2652c69cc0b3d6cacec7

General

Target

978346772449caa77781cb1ca4a403b7.exe
Size

34KB
MD5

978346772449caa77781cb1ca4a403b7
SHA1

f0080cb7e41adc40b040a0282b0cf334aaeb4ca7
SHA256

629f5e5c5caa8dd385801b53682dc30281cc65b7cbff2652c69cc0b3d6cacec7
SHA512

cfe2e1f86e966063e14eaa00208d416ae8b6f18ace768784693b197f9086db4e7d125f866116db7b9aa8b244d4484d613a52a06f9510cbcefe3bc2e4ea1b12e8
SSDEEP

768:DX2bEGJcvLnKbyxwXeU2bK72Vh0y8cPWOp5zl7nyEdFfJT4:y2zKherb530yvh/+EN4

Score

8^/10

evasion spyware stealer upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2736	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2736	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3016-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/3016-3-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/3016-12-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ksuser.dll	978346772449caa77781cb1ca4a403b7.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	978346772449caa77781cb1ca4a403b7.exe
File created	C:\Windows\SysWOW64\sysapp19.dll	978346772449caa77781cb1ca4a403b7.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	978346772449caa77781cb1ca4a403b7.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	978346772449caa77781cb1ca4a403b7.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	978346772449caa77781cb1ca4a403b7.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	978346772449caa77781cb1ca4a403b7.exe
File created	C:\Windows\SysWOW64\midimap.dll	978346772449caa77781cb1ca4a403b7.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	978346772449caa77781cb1ca4a403b7.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	978346772449caa77781cb1ca4a403b7.exe
File created	C:\Windows\SysWOW64\msimg32.dll	978346772449caa77781cb1ca4a403b7.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2808	sc.exe
2916	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3016	978346772449caa77781cb1ca4a403b7.exe
3016	978346772449caa77781cb1ca4a403b7.exe
3016	978346772449caa77781cb1ca4a403b7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3016	978346772449caa77781cb1ca4a403b7.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2792	3016	978346772449caa77781cb1ca4a403b7.exe	28
PID 3016 wrote to memory of 2792	3016	978346772449caa77781cb1ca4a403b7.exe	28
PID 3016 wrote to memory of 2792	3016	978346772449caa77781cb1ca4a403b7.exe	28
PID 3016 wrote to memory of 2792	3016	978346772449caa77781cb1ca4a403b7.exe	28
PID 3016 wrote to memory of 2808	3016	978346772449caa77781cb1ca4a403b7.exe	29
PID 3016 wrote to memory of 2808	3016	978346772449caa77781cb1ca4a403b7.exe	29
PID 3016 wrote to memory of 2808	3016	978346772449caa77781cb1ca4a403b7.exe	29
PID 3016 wrote to memory of 2808	3016	978346772449caa77781cb1ca4a403b7.exe	29
PID 3016 wrote to memory of 2916	3016	978346772449caa77781cb1ca4a403b7.exe	31
PID 3016 wrote to memory of 2916	3016	978346772449caa77781cb1ca4a403b7.exe	31
PID 3016 wrote to memory of 2916	3016	978346772449caa77781cb1ca4a403b7.exe	31
PID 3016 wrote to memory of 2916	3016	978346772449caa77781cb1ca4a403b7.exe	31
PID 3016 wrote to memory of 2736	3016	978346772449caa77781cb1ca4a403b7.exe	33
PID 3016 wrote to memory of 2736	3016	978346772449caa77781cb1ca4a403b7.exe	33
PID 3016 wrote to memory of 2736	3016	978346772449caa77781cb1ca4a403b7.exe	33
PID 3016 wrote to memory of 2736	3016	978346772449caa77781cb1ca4a403b7.exe	33
PID 3016 wrote to memory of 2736	3016	978346772449caa77781cb1ca4a403b7.exe	33
PID 3016 wrote to memory of 2736	3016	978346772449caa77781cb1ca4a403b7.exe	33
PID 3016 wrote to memory of 2736	3016	978346772449caa77781cb1ca4a403b7.exe	33
PID 2792 wrote to memory of 2604	2792	net.exe	35
PID 2792 wrote to memory of 2604	2792	net.exe	35
PID 2792 wrote to memory of 2604	2792	net.exe	35
PID 2792 wrote to memory of 2604	2792	net.exe	35

C:\Users\Admin\AppData\Local\Temp\978346772449caa77781cb1ca4a403b7.exe
"C:\Users\Admin\AppData\Local\Temp\978346772449caa77781cb1ca4a403b7.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:2604
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2808
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:2916
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1707752298.dat, ServerMain c:\users\admin\appdata\local\temp\978346772449caa77781cb1ca4a403b7.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1707752298.dat

Filesize
34KB

MD5
3162d8701c73b11ecde7c0d0079b749c

SHA1
abb564bf8504d8fcb8fed0a7ee4060bfe8c0cee6

SHA256
af37231868e9ef8676e9b57cf3ac26d5b06563c8cdb57929a782328bcf65f4ae

SHA512
7e98d716cf996b9704f6349bea1551c5fc7312b3b7fef6898568211319e7571ea3d12aae67b8f0a026213a6549de5dd0fc0fc392ef520ef948811a1dde5760dc

Download Submit
memory/3016-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3016-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3016-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing