e4cef569972dad8288b97638e8f1a616de6b49983bfd2cde7031b9125ea9657d

General

Target

e1ee7bbff6a3ff65d451b951f09aeb35.exe
Size

188KB
MD5

e1ee7bbff6a3ff65d451b951f09aeb35
SHA1

d9b0878c20eaa3f4985f522e1c27285dc9de4395
SHA256

e4cef569972dad8288b97638e8f1a616de6b49983bfd2cde7031b9125ea9657d
SHA512

ff8613824fda0fc1d4cd5d60667870e48740f7b5695250a02e9d4c3427a610c8fbfdad3f72e21b6070fde89f59c4eca6744de6c7aca76a0520bce49f734ce2b0
SSDEEP

3072:OlZJjtGkjt8FF0Xsh+ZcoqaiiD6DtzjwEoHDHwXC001HqkN0Qv7Fo:OlfzjtWqhcLaT6xjkjQXZsoq7Fo

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	e1ee7bbff6a3ff65d451b951f09aeb35.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1688-1-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2628-8-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1688-65-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/564-72-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1688-74-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1688-156-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1688-194-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2628	1688	e1ee7bbff6a3ff65d451b951f09aeb35.exe	28
PID 1688 wrote to memory of 2628	1688	e1ee7bbff6a3ff65d451b951f09aeb35.exe	28
PID 1688 wrote to memory of 2628	1688	e1ee7bbff6a3ff65d451b951f09aeb35.exe	28
PID 1688 wrote to memory of 2628	1688	e1ee7bbff6a3ff65d451b951f09aeb35.exe	28
PID 1688 wrote to memory of 564	1688	e1ee7bbff6a3ff65d451b951f09aeb35.exe	30
PID 1688 wrote to memory of 564	1688	e1ee7bbff6a3ff65d451b951f09aeb35.exe	30
PID 1688 wrote to memory of 564	1688	e1ee7bbff6a3ff65d451b951f09aeb35.exe	30
PID 1688 wrote to memory of 564	1688	e1ee7bbff6a3ff65d451b951f09aeb35.exe	30

C:\Users\Admin\AppData\Local\Temp\e1ee7bbff6a3ff65d451b951f09aeb35.exe
"C:\Users\Admin\AppData\Local\Temp\e1ee7bbff6a3ff65d451b951f09aeb35.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\e1ee7bbff6a3ff65d451b951f09aeb35.exe
  C:\Users\Admin\AppData\Local\Temp\e1ee7bbff6a3ff65d451b951f09aeb35.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\e1ee7bbff6a3ff65d451b951f09aeb35.exe
  C:\Users\Admin\AppData\Local\Temp\e1ee7bbff6a3ff65d451b951f09aeb35.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C971.31D

Filesize
1KB

MD5
8de0461532d6dfef109957c71e0287d3

SHA1
236d59f96a33f3ff9b67de48ee348a60c3b5b188

SHA256
c2c804f187891fdea530e338ba28f1db33f10001f502e224055d619e3306a2b9

SHA512
88436aaa4d88d3c1d77c323341f89e466cb5d701398309c20b72d7fe93fc6f58f278de14cb85fc674156de5aac0810632056ceeb75db155616c6fb7860e2c25e

Download Submit
C:\Users\Admin\AppData\Roaming\C971.31D

Filesize
600B

MD5
b505c019d0205b240ba79b35b3f71797

SHA1
611cee9ba07d76b16779c0a525af125d441f6f31

SHA256
f5d3ba13fce4af28ea8179e702020e46b95bb46ebefd6081b042803f5e71187f

SHA512
132cf9acf8f4d8fdd486fa1571573cfb358439dadd8e632c8470fe404af1febc333f73a39764c6e3f8a5703b84cd4ec82d808dbf0d03e2c72327eaacf89be53b

Download Submit
C:\Users\Admin\AppData\Roaming\C971.31D

Filesize
996B

MD5
c32999cda6a17713d06cb7eac7f93d1d

SHA1
f064d50184cf6a65b86146658f534325336db36d

SHA256
814a02da7ed3fb886e4a2bc60f215736d36c8ef5b940a9f567833c0ff7f6c2a2

SHA512
b394e0a9f801aba41c10ba46788defa74004f47f09185c94b00896415b8b7e8860ce9c69b20eb0730821aa31a1616384c2ce03a63e7e6f1f1ae6317837d5c605

Download Submit
memory/564-72-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/564-73-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/564-157-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/1688-65-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1688-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1688-74-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1688-128-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/1688-2-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/1688-156-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1688-194-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2628-8-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2628-9-0x0000000000647000-0x000000000066F000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads