767c367613633db9798a37c366a0166e132bef1ebd74b7a51c28711d42bb1e83

General

Target

d0be347179715db77e40ef4a50439da2.exe
Size

946KB
MD5

d0be347179715db77e40ef4a50439da2
SHA1

4b94bc600735eb5eed60a471dd788e7d0e2586b8
SHA256

767c367613633db9798a37c366a0166e132bef1ebd74b7a51c28711d42bb1e83
SHA512

2d56ead24db04d054fac5c737acb99449cb9317ff3865db89d7dded4d72cfa702d129850504d11b1abe85367cad5f40c0524d1b6fab86b33aa7ae238b7ea8e40
SSDEEP

24576:wSW+8M9O1qYOrrfGkFpuJieh6NvZKPubpeM:U9NPOrKkWJieh65Zte

Score

7^/10

bootkit persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

defender.exe

pid process

2984 defender.exe
Loads dropped DLL 2 IoCs

Processes:

d0be347179715db77e40ef4a50439da2.exe

pid process

2372 d0be347179715db77e40ef4a50439da2.exe
2372 d0be347179715db77e40ef4a50439da2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2372-0-0x0000000000400000-0x00000000006E4000-memory.dmp	upx
\ProgramData\defender.exe	upx
behavioral1/memory/2984-20-0x0000000000400000-0x0000000000A0E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

defender.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Malware Protection = "C:\\ProgramData\\defender.exe"	defender.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

defender.exe

description	ioc	process
File opened (read-only)	\??\K:	defender.exe
File opened (read-only)	\??\N:	defender.exe
File opened (read-only)	\??\V:	defender.exe
File opened (read-only)	\??\L:	defender.exe
File opened (read-only)	\??\O:	defender.exe
File opened (read-only)	\??\Q:	defender.exe
File opened (read-only)	\??\R:	defender.exe
File opened (read-only)	\??\T:	defender.exe
File opened (read-only)	\??\U:	defender.exe
File opened (read-only)	\??\W:	defender.exe
File opened (read-only)	\??\X:	defender.exe
File opened (read-only)	\??\G:	defender.exe
File opened (read-only)	\??\H:	defender.exe
File opened (read-only)	\??\I:	defender.exe
File opened (read-only)	\??\P:	defender.exe
File opened (read-only)	\??\Y:	defender.exe
File opened (read-only)	\??\E:	defender.exe
File opened (read-only)	\??\J:	defender.exe
File opened (read-only)	\??\M:	defender.exe
File opened (read-only)	\??\S:	defender.exe
File opened (read-only)	\??\Z:	defender.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

defender.exe

description ioc process

File opened for modification \??\PhysicalDrive0 defender.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	defender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d0be347179715db77e40ef4a50439da2.exedefender.exe

pid	process
2372	d0be347179715db77e40ef4a50439da2.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d0be347179715db77e40ef4a50439da2.exe

pid process

2372 d0be347179715db77e40ef4a50439da2.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

defender.exe

pid	process
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

defender.exe

pid	process
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe
2984	defender.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

defender.exe

pid process

2984 defender.exe
2984 defender.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d0be347179715db77e40ef4a50439da2.exe

description	pid	process	target process
PID 2372 wrote to memory of 2984	2372	d0be347179715db77e40ef4a50439da2.exe	defender.exe
PID 2372 wrote to memory of 2984	2372	d0be347179715db77e40ef4a50439da2.exe	defender.exe
PID 2372 wrote to memory of 2984	2372	d0be347179715db77e40ef4a50439da2.exe	defender.exe
PID 2372 wrote to memory of 2984	2372	d0be347179715db77e40ef4a50439da2.exe	defender.exe

C:\Users\Admin\AppData\Local\Temp\d0be347179715db77e40ef4a50439da2.exe
"C:\Users\Admin\AppData\Local\Temp\d0be347179715db77e40ef4a50439da2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2372

C:\ProgramData\defender.exe
C:\ProgramData\defender.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\defender.exe
Filesize
860KB

MD5
aa4e5c7054d22802f163c22997a71c1e

SHA1
d3e6aa99876fa005d2ab78a3759ef4e60f8829a0

SHA256
f54df95030a04f6bf2902f12176d1d4874a36b0eba39ac404d14705afc9711ef

SHA512
382ae78fd41c42fe110e296c0af6c58c4a5153416f12b882811832c8bbc0aa6025b10be631a8ea1daea1f33fc95480b1bd4c1c893d7d7870e1ea58f281cfb102

Download Submit
memory/2372-0-0x0000000000400000-0x00000000006E4000-memory.dmp

Filesize
2.9MB

Download
memory/2372-2-0x0000000000B30000-0x0000000000C30000-memory.dmp

Filesize
1024KB

Download
memory/2372-3-0x0000000000400000-0x00000000006E4000-memory.dmp

Filesize
2.9MB

Download
memory/2372-6-0x00000000770D0000-0x00000000770D1000-memory.dmp

Filesize
4KB

Download
memory/2372-9-0x0000000000400000-0x00000000006E4000-memory.dmp

Filesize
2.9MB

Download
memory/2372-13-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2372-19-0x0000000002AA0000-0x00000000030AE000-memory.dmp

Filesize
6.1MB

Download
memory/2984-30-0x0000000000B10000-0x0000000000C10000-memory.dmp

Filesize
1024KB

Download
memory/2984-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-25-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-26-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-27-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2984-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-29-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-20-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-31-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-32-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-34-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2984-22-0x0000000000B10000-0x0000000000C10000-memory.dmp

Filesize
1024KB

Download
memory/2984-37-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-46-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2984-47-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads