cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9

General

Target

cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exe
Size

17KB
MD5

09eca2becdc4276ce54d5589555bd0fa
SHA1

ff6b210d4bb51eb041057509120e8169ee53088d
SHA256

cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9
SHA512

afc3ac1a4916ed7af96119c63aa5bf61d2e27031118a5a379046ca2a0a4f4117c1b5ad286d50727dff74669be245f363fcdf1cd0948bca291e488cca30838c98
SSDEEP

384:tv+t/QgBssNSvNSV+EVeFuKk/RetkMHvLYYxHKpp7ppppph:t2h/EEQ0VKkJedYF

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

videodrv.exe

pid process

2996 videodrv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2996	videodrv.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2400-0-0x0000000000400000-0x0000000000479000-memory.dmp	upx
C:\Windows\videodrv.exe	upx
behavioral1/memory/2996-13-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2400-15-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2996-16-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2996-126-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2996-128-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2996-130-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2996-131-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2996-133-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exevideodrv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe"	cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe"	videodrv.exe

Drops file in Windows directory 7 IoCs

Processes:

cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exevideodrv.exe

description	ioc	process
File created	C:\Windows\videodrv.exe	cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exe
File opened for modification	C:\Windows\videodrv.exe	cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exe
File created	C:\Windows\videodrv.exe	videodrv.exe
File opened for modification	C:\Windows\videodrv.exe	videodrv.exe
File opened for modification	C:\Windows\exe.tmp	videodrv.exe
File opened for modification	C:\Windows\zip.tmp	videodrv.exe
File opened for modification	C:\Windows\eml.tmp	videodrv.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exe

description	pid	process	target process
PID 2400 wrote to memory of 2996	2400	cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exe	videodrv.exe
PID 2400 wrote to memory of 2996	2400	cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exe	videodrv.exe
PID 2400 wrote to memory of 2996	2400	cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exe	videodrv.exe
PID 2400 wrote to memory of 2996	2400	cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exe	videodrv.exe

C:\Users\Admin\AppData\Local\Temp\cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exe
"C:\Users\Admin\AppData\Local\Temp\cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\videodrv.exe
C:\Windows\videodrv.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\eml.tmp
Filesize
919B

MD5
46f49fad1e238e7b31758a4aa778050a

SHA1
2909bddb7692ab99f992dc950d5e87dc2005f56a

SHA256
469ca9d4c593405704f67bbb0a04255dad66735b61374ababafe20777ced01b8

SHA512
83899e5847faecd7265c56f6e1e060e845fe5199bb7b7195cb720b58b4f621b29a462570e4bdf29323f283ffaffb7f6cbe9610ddd7f3ece6c6999d02484696a4

Download Submit
C:\Windows\eml.tmp
Filesize
1KB

MD5
80cb38c99c60ea12fbd536207f2459f8

SHA1
87faf99810c74aa86c67c7cc959e3f4db716cc66

SHA256
1ca2da6af0f6952e712af9441c9dae2f8c0da842bc697d1609d5f995283050f1

SHA512
9ee1b6429e7f53c73f2b3040d90576a0d1f813243f5fa479aa73753e81e72f8936b0c9a76498d4cb57a66fc8595a90df62fb9df0976a7e75c343b63649e28787

Download Submit
C:\Windows\eml.tmp
Filesize
1KB

MD5
dc58e4cf25637aa9e9c78bbfc3166a5a

SHA1
d1956190f2c5213377f8bf839be14085ede4f0ab

SHA256
061e039b4c9e5e9f020e6aad0a943a0689ef1135a5aaa0049e3f3edd0e5e4a0a

SHA512
d7de4e7426e2a1664226262e5c62d89a5f33ad175dd68951e0f422eb65d60511ec120df06affeccafd0ccf8815700011961e804ce6cebc134af039536b7e1b19

Download Submit
C:\Windows\videodrv.exe
Filesize
17KB

MD5
09eca2becdc4276ce54d5589555bd0fa

SHA1
ff6b210d4bb51eb041057509120e8169ee53088d

SHA256
cf2f0c8462f8d833a6e76ce03c622104a987295965d35635230eea6f313d57a9

SHA512
afc3ac1a4916ed7af96119c63aa5bf61d2e27031118a5a379046ca2a0a4f4117c1b5ad286d50727dff74669be245f363fcdf1cd0948bca291e488cca30838c98

Download Submit
memory/2400-12-0x00000000002C0000-0x0000000000339000-memory.dmp

Filesize
484KB

Download
memory/2400-15-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2400-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2996-16-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2996-13-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2996-126-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2996-128-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2996-130-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2996-131-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2996-133-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads