3569b1de9692e5ca5c8a7fb73d52bdabd6bddfd652cab6d10cfb2c2a69c96e6d

General

Target

c944d68dffe67e2d03f86ccef6304504.exe
Size

183KB
MD5

c944d68dffe67e2d03f86ccef6304504
SHA1

6334a2a9be21fee3d10ba747f24b020c2ac01a2c
SHA256

3569b1de9692e5ca5c8a7fb73d52bdabd6bddfd652cab6d10cfb2c2a69c96e6d
SHA512

e4839499736c9d8693167e2c53d87065a2f49d72397bcce3d72af44cfdb194d33cdf2841891b85628507c3964e79fa8d18b2750627d7c9944a0891d379648658
SSDEEP

3072:RIL4cewfF6FmgF63CLjPentd85YPx37jfA0YC5HE9WVHzYmQWuB:RMY4FobF63OutzPV3fpYCxMkH7u

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	c944d68dffe67e2d03f86ccef6304504.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1168-1-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2708-13-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2708-12-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1168-15-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2372-72-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1168-74-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2708-141-0x0000000000600000-0x0000000000700000-memory.dmp	upx
behavioral1/memory/1168-142-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2372-143-0x0000000000540000-0x0000000000640000-memory.dmp	upx
behavioral1/memory/1168-174-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1168-181-0x0000000000400000-0x000000000048C000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2708	1168	c944d68dffe67e2d03f86ccef6304504.exe	28
PID 1168 wrote to memory of 2708	1168	c944d68dffe67e2d03f86ccef6304504.exe	28
PID 1168 wrote to memory of 2708	1168	c944d68dffe67e2d03f86ccef6304504.exe	28
PID 1168 wrote to memory of 2708	1168	c944d68dffe67e2d03f86ccef6304504.exe	28
PID 1168 wrote to memory of 2372	1168	c944d68dffe67e2d03f86ccef6304504.exe	30
PID 1168 wrote to memory of 2372	1168	c944d68dffe67e2d03f86ccef6304504.exe	30
PID 1168 wrote to memory of 2372	1168	c944d68dffe67e2d03f86ccef6304504.exe	30
PID 1168 wrote to memory of 2372	1168	c944d68dffe67e2d03f86ccef6304504.exe	30

C:\Users\Admin\AppData\Local\Temp\c944d68dffe67e2d03f86ccef6304504.exe
"C:\Users\Admin\AppData\Local\Temp\c944d68dffe67e2d03f86ccef6304504.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\c944d68dffe67e2d03f86ccef6304504.exe
  C:\Users\Admin\AppData\Local\Temp\c944d68dffe67e2d03f86ccef6304504.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\c944d68dffe67e2d03f86ccef6304504.exe
  C:\Users\Admin\AppData\Local\Temp\c944d68dffe67e2d03f86ccef6304504.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5FC0.DEA

Filesize
1KB

MD5
d1d3ef67c7be29ae5f0cbf75a827deaf

SHA1
0e316918928c697548688edb595bfb4ccdb74989

SHA256
fdcd330f6cf14caab381933d2827cfb09aa9bc3d300af796843894d85d6b4893

SHA512
0cce8d919e32d61f6973396978c2f217c00a3838ba9b2a10b6cca0ff6cf32c6375059bcfd86f53aeaf47118aef43e02e6631be272688b991ba45be25d20f2c89

Download Submit
C:\Users\Admin\AppData\Roaming\5FC0.DEA

Filesize
1KB

MD5
6a8dab205bc81e7f3aefe4a38a1c9624

SHA1
6c5b0d894f9f01aa651d0cf4d0f7b3da71a8f7ea

SHA256
49720c421bb3f14172723d829daab05f27ba980c202e988d591adf6cc462c981

SHA512
556e0a1944ae6abfbb4fdf2d407f79776588e001e17b774aad9c24d65c751584913e209c8e7ab3b0ab45cf7abe22fecd2c7cd12b2095ce0003e25070b884833e

Download Submit
C:\Users\Admin\AppData\Roaming\5FC0.DEA

Filesize
600B

MD5
7a4cc5de5e14c2b3d90f6d7460ace385

SHA1
04dad15b65028894ce4af0b2d34b9b9d5721351c

SHA256
1cc3851ed16eeba222e8a93615ac2c8d2c8bbd74743254e620217f8dc0c29aa2

SHA512
b685f614713f9bb1ff49512777cd3f296e8c453204307121534506e3f0de59ab578235fa7f4f3db1f11fb7206bab33a5fbd21e4280d00d31c092c9e1b8afa191

Download Submit
C:\Users\Admin\AppData\Roaming\5FC0.DEA

Filesize
996B

MD5
0b3fbde62d7cd37a05e355b9b60a0a36

SHA1
4b65525889d596c33c25eaf595d2de5e489e0f30

SHA256
513648e9047a1f3d59ce340969f68903e91e6592ceb69eff9c9de6405e2e2350

SHA512
90b81830ad2c90edcda728562d836bf25de90a215eb79341906ecfac061ec3d4bf77ebaaa61295c81adcf180faaf7153151bfebab6c4ae558bc8f1ddc5cbc8be

Download Submit
memory/1168-3-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/1168-181-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1168-174-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1168-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1168-142-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1168-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1168-74-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1168-75-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2372-73-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2372-72-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2372-143-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2708-141-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2708-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2708-14-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2708-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads