7e939ae8473173dee703448b707f0b06c40d441511f661a588f454e977c86278

General

Target

ca43e84804afc3aa10fcb9d8031fbe48.exe
Size

166KB
MD5

ca43e84804afc3aa10fcb9d8031fbe48
SHA1

bae95788126a210d7154e6594cd5dab4de8ffc06
SHA256

7e939ae8473173dee703448b707f0b06c40d441511f661a588f454e977c86278
SHA512

e905b72e49be1573179905ce83c69efc0bfea87d581b21c076cd28544dd7a7e9624d8567e7a8216f7ec7994ab23cc29bd68d5a81673588cc5c97a12eda203775
SSDEEP

3072:U029Fq4TKOdKNAd7HJNEJ0rE083A6VbUP+8Fry6mFx29L78VoXSK:U02qqHoK7nE+rw37VAy6mK78VoXSK

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\536F3\\8FA20.exe"	ca43e84804afc3aa10fcb9d8031fbe48.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2272-1-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1992-12-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2272-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3756-72-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3756-73-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2272-75-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2272-176-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1992	2272	ca43e84804afc3aa10fcb9d8031fbe48.exe	91
PID 2272 wrote to memory of 1992	2272	ca43e84804afc3aa10fcb9d8031fbe48.exe	91
PID 2272 wrote to memory of 1992	2272	ca43e84804afc3aa10fcb9d8031fbe48.exe	91
PID 2272 wrote to memory of 3756	2272	ca43e84804afc3aa10fcb9d8031fbe48.exe	101
PID 2272 wrote to memory of 3756	2272	ca43e84804afc3aa10fcb9d8031fbe48.exe	101
PID 2272 wrote to memory of 3756	2272	ca43e84804afc3aa10fcb9d8031fbe48.exe	101

C:\Users\Admin\AppData\Local\Temp\ca43e84804afc3aa10fcb9d8031fbe48.exe
"C:\Users\Admin\AppData\Local\Temp\ca43e84804afc3aa10fcb9d8031fbe48.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\ca43e84804afc3aa10fcb9d8031fbe48.exe
  C:\Users\Admin\AppData\Local\Temp\ca43e84804afc3aa10fcb9d8031fbe48.exe startC:\Program Files (x86)\LP\2095\324.exe%C:\Program Files (x86)\LP\2095
  2⤵
  PID:1992
- C:\Users\Admin\AppData\Local\Temp\ca43e84804afc3aa10fcb9d8031fbe48.exe
  C:\Users\Admin\AppData\Local\Temp\ca43e84804afc3aa10fcb9d8031fbe48.exe startC:\Program Files (x86)\F35E0\lvvm.exe%C:\Program Files (x86)\F35E0
  2⤵
  PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\536F3\35E0.36F

Filesize
1KB

MD5
5179c9cfe5945851b0f0d41f392c34c4

SHA1
b37d7cd9a730538e6952dac37811f58a9e05da40

SHA256
c70e505c300340f5287a93e0d9b0da555394f7575c58952fc8acbfde16d5a2d7

SHA512
a29949c2693e14d05c8f99f52cea65475a1c6e2031fd7877aa1185c92c755646a0a6e8478798a9536ef06099569660c304082268dfea7e8f879ad6476c4b1502

Download Submit
C:\Users\Admin\AppData\Roaming\536F3\35E0.36F

Filesize
600B

MD5
f1149ed63ab30f8c0694fabcd09f8ff3

SHA1
7abdc3035c36997c7bc064f6de50635ffb4786fb

SHA256
53b071797afb88a51036e8f0b060e39525f26f219e173414f4426cc4ee0e4a63

SHA512
f34d352dd067233df30ce09ffb226eb9756fe084afe1ba8f7fb9c8907361deaaa0cb115bd060cc77c43aeab7b4fd7bb5b8174da13d699144bbc2cb47d937a991

Download Submit
C:\Users\Admin\AppData\Roaming\536F3\35E0.36F

Filesize
996B

MD5
5db1cc04933a37010269992432f8651f

SHA1
31cfb95f4d120d66ad69d971108905ffc03d9bd8

SHA256
d87b0dfec05ead483c0333085fdbf8c0d3b69bcc327f3005cdb4dc23ea11544c

SHA512
e9db7b8a8f5c3d4b8bd24e32faf9346c14e9866a554f974c8fc1205a32c3a074897812442b040c318e367cd994f3c3aec4b87a2da048e37eabc98c1cddcdfb06

Download Submit
memory/1992-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1992-13-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2272-75-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2272-1-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2272-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2272-143-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/2272-2-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/2272-176-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3756-72-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3756-73-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3756-74-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/3756-174-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads