77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977

General

Target

77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
Size

4.1MB
MD5

c6e5f3f5ba9ae8fb70f73fae8b2172fa
SHA1

9719bb8ddd55e4d5105685a2a3ac5b80c01b4ac8
SHA256

77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977
SHA512

b8c82c9a1b3428604efda7e9083e396cab41b126769ad6d26d60b9ea432f14023a56cdbaab27cda46f6c95346f3efdb2abd5ae5b46afa9abd6c663a26cd25a4b
SSDEEP

49152:Pmmk1H6gBnOpek8EZp5OPycC5rcQq8oy7auZzyDxItd1Eh5qwlRxvNHhYNVTKG5j:Pmu4nOkO5v5w/8LJ79q8cQVeWC/3Mn

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
412	kjarrvuqnhvxummpvwuzchhfllldxis-elevate.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1456-0-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-4-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/files/0x000100000002aa0f-11.dat	upx
behavioral2/memory/412-16-0x00007FF633710000-0x00007FF635019000-memory.dmp	upx
behavioral2/memory/412-15-0x00007FF633710000-0x00007FF635019000-memory.dmp	upx
behavioral2/memory/3756-19-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/3756-31-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-33-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-34-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-35-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-36-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-37-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-39-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-38-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/412-40-0x00007FF633710000-0x00007FF635019000-memory.dmp	upx
behavioral2/memory/1456-41-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-42-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-43-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-44-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-45-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-46-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-48-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-47-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-49-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-50-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-51-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-52-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-53-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-54-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-55-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-56-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-57-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-58-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-59-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-60-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/1456-61-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx
behavioral2/memory/2568-62-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe = "11001"	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe = "11001"	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3756	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
3756	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1456	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2568	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
2568	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
2568	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
2568	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
2568	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2568	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
2568	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
2568	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
2568	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
2568	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2568	1456	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe	80
PID 1456 wrote to memory of 2568	1456	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe	80

C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
"C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
  "C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe" -gpipe \\.\pipe\PCommand97Getscreen.me -gui
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
  "C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe" -cpipe \\.\pipe\PCommand96Getscreen.me -cmem 0000pipe0PCommand96Getscreen0meoyfae5wo24tj4da -child
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3756

C:\ProgramData\Getscreen.me\kjarrvuqnhvxummpvwuzchhfllldxis-elevate.exe
"C:\ProgramData\Getscreen.me\kjarrvuqnhvxummpvwuzchhfllldxis-elevate.exe" -elevate \\.\pipe\elevateGS512kjarrvuqnhvxummpvwuzchhfllldxis
1⤵
- Executes dropped EXE
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Getscreen.me\kjarrvuqnhvxummpvwuzchhfllldxis-elevate.exe

Filesize
4.1MB

MD5
c6e5f3f5ba9ae8fb70f73fae8b2172fa

SHA1
9719bb8ddd55e4d5105685a2a3ac5b80c01b4ac8

SHA256
77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977

SHA512
b8c82c9a1b3428604efda7e9083e396cab41b126769ad6d26d60b9ea432f14023a56cdbaab27cda46f6c95346f3efdb2abd5ae5b46afa9abd6c663a26cd25a4b

Download Submit
C:\ProgramData\Getscreen.me\logs\20240605.log

Filesize
719B

MD5
33285a264cdcdf1ce9666110591665db

SHA1
2d2d1aa8627bcd0ff0c25fc4d07e5706b56a272b

SHA256
cc1b0a86a3bcdf7e6d629224c877c8408bb3d457b682944ed99eb8b267a13b40

SHA512
41a54de8d5c29d686e0676141ff80d2fa17ef6a464d8d13dc6f0eddcaf144025704a42a1f01adbe46ccf8c8950261fe27e37c2c0b65d6722d0ea1f660acfad88

Download Submit
C:\ProgramData\Getscreen.me\logs\20240605.log

Filesize
3KB

MD5
ab95220c0aba615bcd8f50a5c60f4327

SHA1
69fd13d1859d9c1167b4ed5d332f57fa5e4a1780

SHA256
470489eb041b191a250d923538a174380a0958162b07f410720820f400c55fbf

SHA512
d6d79038e6d7636572a3b32db1bce48651f699e23dc8e3c0e89ee6ed8be629be7a2cb39ca8c7774167339fd2a617291b8ba42ece940f54e6cc0660b7c3f1719f

Download Submit
C:\ProgramData\Getscreen.me\logs\20240605.log

Filesize
261B

MD5
05d49467dd22f2acec547e99591ceecd

SHA1
8f22fb325de3ed6201abe1c7d703c1bba02bcb97

SHA256
e3f3daf8eb008f211e5d203b305a3dedadb87cc08a12ce38ae3ecf0416f75137

SHA512
2981e267b6a4c2ff8c97be20875359ad6ee649489d3254292c8fe9dfe1c4027a0dc77cbb26a3d00c01bd0cbb34d9d4c65fbc1c44b6023391c3e8f3ba4119605e

Download Submit
C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96Getscreen0meoyfae5wo24tj4da

Filesize
16.0MB

MD5
76e060e929a27a8f50a5ea6edfc52356

SHA1
91b7bc99d759d84720b376f69bc934d75d9ec549

SHA256
95f95f6678ad42de249fe02f78472b553837b1e2aecd2f43b5715fae9187feae

SHA512
f1a361f28a87b18b8b5707bd3332e751ee30dfc5c9a32a4bbc39b7e8d5ac34385e96b49546003741a797c1a8e53537a91d5345dfcb1707bc65a483d458fd38fe

Download Submit
memory/412-40-0x00007FF633710000-0x00007FF635019000-memory.dmp

Filesize
25.0MB

Download
memory/412-16-0x00007FF633710000-0x00007FF635019000-memory.dmp

Filesize
25.0MB

Download
memory/412-15-0x00007FF633710000-0x00007FF635019000-memory.dmp

Filesize
25.0MB

Download
memory/1456-57-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-0-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-45-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-33-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-55-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-35-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-53-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-59-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-51-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-38-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-61-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-41-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-49-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-43-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/1456-47-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-52-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-54-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-48-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-44-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-42-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-50-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-39-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-37-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-36-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-46-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-34-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-56-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-62-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-58-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-4-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/2568-60-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/3756-19-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download
memory/3756-31-0x00007FF7A57D0000-0x00007FF7A70D9000-memory.dmp

Filesize
25.0MB

Download

Analysis

Sharing