d0e1f6c4f2a2013c4c62f6099b4ac6c8de49794ccf542437268ce4502ffdd694

General

Target

Zzee.php.gui.3.1.0.serial.maker.by.cat.exe
Size

354KB
MD5

4ef112c0207c23ee0edb78a05c82cadb
SHA1

6362a18b7e73f3f4c587c39cff041da251610a79
SHA256

903259f7971b4606942da5c51e20a83119acc1277e4960cc1d1b0b556fd18f5e
SHA512

83ec5adbce2feda3f830a1033204fed9b7da73b38c48191b9bf8b491f2dbc24ee2d2e2d947e4da18a07bba889a771e3ac1f50fe3f12044e0ba5216627c9ee7ca
SSDEEP

6144:IWlO87PzenJAxyXml7pbzZtVvOheZm9UuVxq1kp9YvEy9UHtf7ByphYFgHp:IWl2axyXml7lxvPmUuKvMHd7Ms

Score

7^/10

collection discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000d000000012248-7.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/856-0-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/files/0x000d000000012248-7.dat	upx
behavioral1/memory/3052-12-0x0000000010000000-0x0000000010086000-memory.dmp	upx
behavioral1/memory/856-13-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/3052-14-0x0000000010000000-0x0000000010086000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msieql32.dll,feilxJfm"	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msieql32.dll	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe
File opened for modification	C:\Windows\SysWOW64\msieql32.dll	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
280	856	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe
856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe
856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe
856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 3052	856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe	28
PID 856 wrote to memory of 3052	856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe	28
PID 856 wrote to memory of 3052	856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe	28
PID 856 wrote to memory of 3052	856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe	28
PID 856 wrote to memory of 3052	856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe	28
PID 856 wrote to memory of 3052	856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe	28
PID 856 wrote to memory of 3052	856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe	28
PID 856 wrote to memory of 280	856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe	29
PID 856 wrote to memory of 280	856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe	29
PID 856 wrote to memory of 280	856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe	29
PID 856 wrote to memory of 280	856	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe	29

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Zzee.php.gui.3.1.0.serial.maker.by.cat.exe

C:\Users\Admin\AppData\Local\Temp\Zzee.php.gui.3.1.0.serial.maker.by.cat.exe
"C:\Users\Admin\AppData\Local\Temp\Zzee.php.gui.3.1.0.serial.maker.by.cat.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:856
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe msieql32.dll,feilxJfm
  2⤵
  - Loads dropped DLL
  PID:3052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 320
  2⤵
  - Program crash
  PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msieql32.dll

Filesize
171KB

MD5
637d7b9be6c3c00a16ea0008b0bee3ae

SHA1
6eaffdfc588dd4f5fe04adedbcf57a557d0d1845

SHA256
407b23f74fe725216eada2ade2c3c7ba800cc86be849e4237431016e0b29e8e7

SHA512
5fcd2a80674402892a5077a47f54bb5ad5d339aeab678710db0e728f45645b28472faa229f72835e2e4446f00ecacebba4d3bf138fe9cd36c5c0f57f6b0f4ae2

Download Submit
memory/856-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/856-1-0x0000000001D60000-0x0000000001DBA000-memory.dmp

Filesize
360KB

Download
memory/856-2-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download
memory/856-3-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download
memory/856-4-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download
memory/856-6-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download
memory/856-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/856-15-0x0000000001D60000-0x0000000001DBA000-memory.dmp

Filesize
360KB

Download
memory/856-17-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download
memory/3052-12-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/3052-14-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads