b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4

General

Target

b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe
Size

196KB
MD5

ccf4c792166f15a7959969b3ece770dd
SHA1

f3b5a0a43de689cd3daf9c1f821c981a6c7b0f2f
SHA256

b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4
SHA512

3778f978ee2260ba2471f5c4fe2306496f90c75881c25b10ac6974573d077adaa6fe87c919c258554d761732a2fb9e1d5aa1f74cd2312e042e1143057e19c6cc
SSDEEP

3072:kd8lllr9jj07g5GWEI74ppnNnVb9Wrkp9OD6BF7jlyIxbiGa3xblUc3rSRP1LP2Y:kaTjjwSzx7sn1GD678IQGa5lRUdLP2

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2156-1-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2156-2-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2324-7-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2324-6-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2156-15-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1476-85-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/1476-83-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2156-86-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2156-193-0x0000000000400000-0x000000000048C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2324	2156	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe	30
PID 2156 wrote to memory of 2324	2156	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe	30
PID 2156 wrote to memory of 2324	2156	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe	30
PID 2156 wrote to memory of 2324	2156	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe	30
PID 2156 wrote to memory of 1476	2156	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe	33
PID 2156 wrote to memory of 1476	2156	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe	33
PID 2156 wrote to memory of 1476	2156	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe	33
PID 2156 wrote to memory of 1476	2156	b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe	33

C:\Users\Admin\AppData\Local\Temp\b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe
"C:\Users\Admin\AppData\Local\Temp\b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe
  C:\Users\Admin\AppData\Local\Temp\b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe
  C:\Users\Admin\AppData\Local\Temp\b247ffda4f3426fb2fbe7d876f277513b66f0dbc2c53a5a6de0a135b0cfaa8a4.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6EEB.294

Filesize
1KB

MD5
aa49d6e47c2c71b0a1866d953c85f2d5

SHA1
39864932478a31e0fabea09ae7e5d9a5d64b2b3f

SHA256
9251cd289cbb1086a2855e326f53e949ba0e3c094f2357d1cc3a786e9bbc53e9

SHA512
553a1dfc26494fcf3e1fc0ab18cbbdc23e263dbdfa3aef945df88f153086eaa28ef95b7d3ec3e58d1b1c49838c7bb26ac5ed04968b15567da2724095423c2686

Download Submit
C:\Users\Admin\AppData\Roaming\6EEB.294

Filesize
600B

MD5
7f888882adbdc08c1a60ce158bfb8a1e

SHA1
f54a686bd5229cf4b227a0f5c867cb69b8076507

SHA256
edf0096c2d7f19b4224ade9a3014d90d0c3198f50f8409e4afcf03bb21ad3d49

SHA512
1c8b089724487c06dd8f0f1577fd7eb90ac8d1e76be2ddc29324c185164da2d4260259b88b6ea59e049967cbc19a501d48311faf71e47756a96c1a9a82b207c7

Download Submit
C:\Users\Admin\AppData\Roaming\6EEB.294

Filesize
996B

MD5
323aaca4dadb90d92ebcff4f2f72946b

SHA1
d67f053cbccf78b9a0a533c0b6e1de06d684cbcd

SHA256
63076715bd987053c2ecf2a56c73130f6002404ac9a08e2dc846b5a4ddbb0866

SHA512
702159434eacda086b442e5976a6e7471f4b77fc4fdcbe2a532f1f4f16150b355d45afa744ae1177f31c1d017280e149809deb5b91c10d4e3ecec65aff416ff0

Download Submit
memory/1476-83-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1476-85-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2156-86-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2156-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2156-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2156-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2156-193-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2324-6-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2324-7-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2324-5-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads