d3ad14f725c7e8494d4ffd6f7d57b583824cbb2a6265584e2cdefe603143de4e

General

Target

b7ac3edac8a2a84e707ec2faa77bf991.exe
Size

180KB
MD5

b7ac3edac8a2a84e707ec2faa77bf991
SHA1

6dc4e3f1d11c364e981ec6ff4c8586f1a752e043
SHA256

d3ad14f725c7e8494d4ffd6f7d57b583824cbb2a6265584e2cdefe603143de4e
SHA512

0acef717772d8429a99e93b549476e6e1ff39fdef6b36f1652472158c6a52c245623924807609e383cf895a2ae821233882e77ea79adce621b1ea86206ba4364
SSDEEP

3072:xreDqSy17OY2ZbZ7hSbPplbSXUDZMPXgUkNVzg2Swjeqbo5XZlKlVUQfkpPH:+jyoYCblhGPrhZGXsFHS0eH7eVfkpP

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	b7ac3edac8a2a84e707ec2faa77bf991.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2256-1-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2556-5-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2556-6-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2256-14-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2752-77-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2256-79-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2256-174-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2256-212-0x0000000000400000-0x0000000000485000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2556	2256	b7ac3edac8a2a84e707ec2faa77bf991.exe	27
PID 2256 wrote to memory of 2556	2256	b7ac3edac8a2a84e707ec2faa77bf991.exe	27
PID 2256 wrote to memory of 2556	2256	b7ac3edac8a2a84e707ec2faa77bf991.exe	27
PID 2256 wrote to memory of 2556	2256	b7ac3edac8a2a84e707ec2faa77bf991.exe	27
PID 2256 wrote to memory of 2752	2256	b7ac3edac8a2a84e707ec2faa77bf991.exe	29
PID 2256 wrote to memory of 2752	2256	b7ac3edac8a2a84e707ec2faa77bf991.exe	29
PID 2256 wrote to memory of 2752	2256	b7ac3edac8a2a84e707ec2faa77bf991.exe	29
PID 2256 wrote to memory of 2752	2256	b7ac3edac8a2a84e707ec2faa77bf991.exe	29

C:\Users\Admin\AppData\Local\Temp\b7ac3edac8a2a84e707ec2faa77bf991.exe
"C:\Users\Admin\AppData\Local\Temp\b7ac3edac8a2a84e707ec2faa77bf991.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\b7ac3edac8a2a84e707ec2faa77bf991.exe
  C:\Users\Admin\AppData\Local\Temp\b7ac3edac8a2a84e707ec2faa77bf991.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\b7ac3edac8a2a84e707ec2faa77bf991.exe
  C:\Users\Admin\AppData\Local\Temp\b7ac3edac8a2a84e707ec2faa77bf991.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\995F.C39

Filesize
1KB

MD5
1fd17fe768430d4800fcdc5418b8d536

SHA1
096351dba217bc2102b66e57fb9df6134bbd24a5

SHA256
7087e228005afe6846119e3dc28a65e664bf75e97c86dcff1a0281954f883e84

SHA512
7b53d4829abbf15c5d2eff0805872f07eb740896ec2612c4f4a1555fe14c36c97a6267f83207f2d0c240b6761601d1dc80960a325ee7a7626dc0a8857e519253

Download Submit
C:\Users\Admin\AppData\Roaming\995F.C39

Filesize
600B

MD5
5e4936badafe879f6dd7a536ff4f07a2

SHA1
21296921b8d5b82d6d30422cfe39d88ff69d74db

SHA256
b6acffc553ebc19f5c3b32e1f4d776550a4e0ddad4e8b9884baa9c7ca0c2c6e1

SHA512
2deea64ba0b1dd17d6c18e835c269836cc62a4c9f79dd8ef6e6c2366f3e2e329f1ca9f49efaa1222e85d4412dfb5cc07a43d15ada98ad502c01a326c83a3bea1

Download Submit
C:\Users\Admin\AppData\Roaming\995F.C39

Filesize
996B

MD5
a81dd1d214fb85776f3688c6e656c208

SHA1
2a70f70d6d98589b3dca9687a9f575e180cd29fc

SHA256
a34be4eacf4c792d6995e9317fbc655d557ac2e5bce3f434bc66d8e507d4d829

SHA512
c090c1b1c66229dc4b6b038d70a2b4c96cd1e6c7b7f6254dacb98b63de395aece73f99247f954e06a2864f19df50fc59e13d23dc64c5f988612425b3678725bf

Download Submit
memory/2256-79-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2256-14-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2256-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2256-80-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2256-2-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2256-174-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2256-212-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2556-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2556-7-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2556-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-77-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2752-78-0x00000000005B5000-0x00000000005DE000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads