71ffdffd191827a5fbb7382daac52a13135aa18909bd0d70bbd13de31e6da5b2

General

Target

c95bf1ea56d0cb7860deac7e4ea7319c.exe
Size

132KB
MD5

c95bf1ea56d0cb7860deac7e4ea7319c
SHA1

d37545f389aece394669bf390df1fda01a13f46d
SHA256

71ffdffd191827a5fbb7382daac52a13135aa18909bd0d70bbd13de31e6da5b2
SHA512

c72c042cefcc3e608fe555271bdd1d81e75a18998a5dde0c8a7759db345ff890bd2f18cde0d7ab631bbe574b565703066e9833e904e9b99e951cda5df88b699d
SSDEEP

3072:X3OCAYNb/Cg36cLJwtMDSaSRB0SiaQ8RU6CHnPX:XVAYNSiyMpSY9a/RZEX

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	c95bf1ea56d0cb7860deac7e4ea7319c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2860-2-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2192-5-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2860-9-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2980-60-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2860-62-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2860-134-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2192	2860	c95bf1ea56d0cb7860deac7e4ea7319c.exe	28
PID 2860 wrote to memory of 2192	2860	c95bf1ea56d0cb7860deac7e4ea7319c.exe	28
PID 2860 wrote to memory of 2192	2860	c95bf1ea56d0cb7860deac7e4ea7319c.exe	28
PID 2860 wrote to memory of 2192	2860	c95bf1ea56d0cb7860deac7e4ea7319c.exe	28
PID 2860 wrote to memory of 2980	2860	c95bf1ea56d0cb7860deac7e4ea7319c.exe	30
PID 2860 wrote to memory of 2980	2860	c95bf1ea56d0cb7860deac7e4ea7319c.exe	30
PID 2860 wrote to memory of 2980	2860	c95bf1ea56d0cb7860deac7e4ea7319c.exe	30
PID 2860 wrote to memory of 2980	2860	c95bf1ea56d0cb7860deac7e4ea7319c.exe	30

C:\Users\Admin\AppData\Local\Temp\c95bf1ea56d0cb7860deac7e4ea7319c.exe
"C:\Users\Admin\AppData\Local\Temp\c95bf1ea56d0cb7860deac7e4ea7319c.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\c95bf1ea56d0cb7860deac7e4ea7319c.exe
  C:\Users\Admin\AppData\Local\Temp\c95bf1ea56d0cb7860deac7e4ea7319c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\c95bf1ea56d0cb7860deac7e4ea7319c.exe
  C:\Users\Admin\AppData\Local\Temp\c95bf1ea56d0cb7860deac7e4ea7319c.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\78D5.DA6

Filesize
1KB

MD5
470ac6f13b5879f2d5b42e4514173f17

SHA1
1eb1553210d8dd5b2ce4a14f8533116f692a84c7

SHA256
09ff064504dbae3b3667d17a4f1b6edb3acb5a30bfff691d4f7f2f4dfe9040e5

SHA512
f316cba6d07ea2698cee3b91faa61eefe6875cf324c4f7a843397a72de8692f9324d8cc82be48412313462675974b30761f915fa39771f934f2675212c555096

Download Submit
C:\Users\Admin\AppData\Roaming\78D5.DA6

Filesize
300B

MD5
932ddd33002537980c0624552183b4ed

SHA1
0c31b612dba7423fa3a5f900e608b85f18016e1a

SHA256
f246e988823afa029c8395fd34bf676dec998bb2b9a31c0f0a4355a2b82e617d

SHA512
db1c925b805a155181131af0e1abcfebb1842f5506973f165c57f8020c6fff78186de8f389acf69bd8a2df4e3fdf00cd1a2ceb82ac4fdae4cbbb98b57b868a55

Download Submit
C:\Users\Admin\AppData\Roaming\78D5.DA6

Filesize
696B

MD5
ac7a947e0d31635f72ff11372e5e58a3

SHA1
280ed64c98513f0f2dee13e7cadfb28ee1235d68

SHA256
60d283005fe0c780eee1f058c335af5813e2063084ff724a6f6461afaf996c3c

SHA512
04783903c3bccdcac8f7dcd27c98db4aaaf4bc6b29ba5395f3a24bdaff864edc107473dd9383da855b80f4d18ce5f09d3878e66c1d5f5d123b04ce8b97eadde4

Download Submit
memory/2192-5-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2192-6-0x0000000000905000-0x0000000000922000-memory.dmp

Filesize
116KB

Download
memory/2860-63-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-62-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2860-2-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2860-9-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2860-3-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-134-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2980-60-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2980-61-0x0000000000275000-0x0000000000292000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads