bd5a37a8d2cdc44d60e5f550eb02e84fe41e380c341c404a4ffb71f9fc057e4a

General

Target

CleanUp.dll
Size

472KB
MD5

9b589bdef7751d9f6e102d8ec1dd3740
SHA1

7af0251fa97aaa8ed0017b93c01a30ae01bc91c0
SHA256

bd5a37a8d2cdc44d60e5f550eb02e84fe41e380c341c404a4ffb71f9fc057e4a
SHA512

819401f0a74efc80001110b83c360765ebdb88ffe4738092b4abd2dd8e1bf51d32b54b2190af0f7bbae3830ab797456ea22ecd4275c261727fbb2b3c0536ee10
SSDEEP

12288:USXo1x8EicZyXeATBSrEW5bl+wtWVkhxUnMBRKl+ebeg0Lz:UgeE0+wtWVOxDBAl+6eg0n

Score

8^/10

spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 26 IoCs

Processes:

rundll32.exe

flow	pid	process
21	1436	rundll32.exe
68	1436	rundll32.exe
69	1436	rundll32.exe
70	1436	rundll32.exe
74	1436	rundll32.exe
76	1436	rundll32.exe
77	1436	rundll32.exe
78	1436	rundll32.exe
79	1436	rundll32.exe
80	1436	rundll32.exe
81	1436	rundll32.exe
82	1436	rundll32.exe
84	1436	rundll32.exe
85	1436	rundll32.exe
86	1436	rundll32.exe
87	1436	rundll32.exe
88	1436	rundll32.exe
89	1436	rundll32.exe
90	1436	rundll32.exe
91	1436	rundll32.exe
92	1436	rundll32.exe
93	1436	rundll32.exe
94	1436	rundll32.exe
95	1436	rundll32.exe
96	1436	rundll32.exe
97	1436	rundll32.exe

Executes dropped EXE 2 IoCs

Processes:

getresult.exegetresult.exe

pid process

3508 getresult.exe
4992 getresult.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1436 rundll32.exe
1436 rundll32.exe

pid	process
3508	getresult.exe
4992	getresult.exe

pid	process
1436	rundll32.exe
1436	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.exe

description	pid	process	target process
PID 3724 wrote to memory of 1436	3724	rundll32.exe	rundll32.exe
PID 3724 wrote to memory of 1436	3724	rundll32.exe	rundll32.exe
PID 3724 wrote to memory of 1436	3724	rundll32.exe	rundll32.exe
PID 1436 wrote to memory of 1876	1436	rundll32.exe	cmd.exe
PID 1436 wrote to memory of 1876	1436	rundll32.exe	cmd.exe
PID 1436 wrote to memory of 1876	1436	rundll32.exe	cmd.exe
PID 1876 wrote to memory of 3136	1876	cmd.exe	cmd.exe
PID 1876 wrote to memory of 3136	1876	cmd.exe	cmd.exe
PID 3136 wrote to memory of 3508	3136	cmd.exe	getresult.exe
PID 3136 wrote to memory of 3508	3136	cmd.exe	getresult.exe
PID 3136 wrote to memory of 4992	3136	cmd.exe	getresult.exe
PID 3136 wrote to memory of 4992	3136	cmd.exe	getresult.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\getresult.exe
getresult.exe 1
5⤵
- Executes dropped EXE
PID:3508

C:\Users\Admin\AppData\Local\Temp\getresult.exe
getresult.exe 1
5⤵
- Executes dropped EXE
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Local State
Filesize
130KB

MD5
2683fb59f868612b7e52ede9c21c7e30

SHA1
005cca39aeac90c9370afe02c84fca6cfe056998

SHA256
08715313d2417be76c049e61fb06cfdfc75eb231f23f95e812c078e1e537c5e8

SHA512
e6b4a3b0059664e7a91fe1ff415adfaab3f753f5d1685412e0e6af7c42cf44344fecd1600801e40528c4715563713e5d6d38f3a2b125bc88db7eea8002d58034

Download Submit
C:\Users\Admin\AppData\Local\Temp\Local State
Filesize
8KB

MD5
a64314040678df8514f5ca1f5e553fa6

SHA1
ca524eade485f1d17116a6fee4ebb8a5a8eaa415

SHA256
1fe046bd3e6db71a519efc4efb62ad0fabadd94b0f55c31c04e9f7551d081835

SHA512
6ac9102f14e4c11521584bf2cb8a28a3ff0c091fcff2c0553dabda994df08c6d59b5b555c34929942cfdaa8f52d070f7fcb79db9524ba5de08b277444063a761

Download Submit
C:\Users\Admin\AppData\Local\Temp\Login Data
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\Login Data
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanup.txt
Filesize
4B

MD5
639d79cc857a6c76c2723b7e014fccb0

SHA1
adfd09d30e05fd65b66767c0debe17a886cc47cd

SHA256
60f3014617bfa4ed073bfbc1cda889c1b85e92427fa6d63ede6bb9b35c662a1d

SHA512
dd2c770964f8aa993b793fae3f583b950e06b39fdb016b09d4504908878bae215d5642fafe717ce0d6235fcb6211b479b8badc8147750ff0772a46658162fa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\getresult.exe
Filesize
5.0MB

MD5
75b9e9a264f240f3fe53738ae77a4f69

SHA1
2de9ddb4954e7c3ae6969b0338ab4a732eeff9b1

SHA256
fbd85129473a8a0f017bcbdc9fa4d4e1b41dda94ffd02b8199ff8452aee69344

SHA512
e6d46d06cd3f165d9457f90dde0bfe1e07eaf5bc84a3b628a53cfc2b86d7ad812d3058695c28dbd7987f31a7b7a081443ceb9fb5022e65fcb9c5469e9ef31326

Download Submit
memory/3508-11-0x00007FF637AF0000-0x00007FF637FFC000-memory.dmp

Filesize
5.0MB

Download
memory/3508-12-0x0000000140000000-0x00000001404CF000-memory.dmp

Filesize
4.8MB

Download
memory/3508-26-0x00007FF637AF0000-0x00007FF637FFC000-memory.dmp

Filesize
5.0MB

Download
memory/4992-33-0x00007FF637AF0000-0x00007FF637FFC000-memory.dmp

Filesize
5.0MB

Download
memory/4992-47-0x00007FF637AF0000-0x00007FF637FFC000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing