e5b02d9b47a711b29e54d8d818c66003e68fe004d4c33d4f80e8ba3340a87e35

General

Target

Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe
Size

167KB
MD5

cd32da2cae57c30b9b3b3b5492c72920
SHA1

d16bc032feff8280bf170efe526f3207f40f3443
SHA256

e5b02d9b47a711b29e54d8d818c66003e68fe004d4c33d4f80e8ba3340a87e35
SHA512

96e0c0a18993a8942cc26230159e1205a421c86d0689c19cfd989b01561c283497d80510c176d32ba76caafb80ca2bc6cab2d08c7bed9175d90c09d4768ad8ec
SSDEEP

3072:j7XdyeLiDIG+MrLE69kHpFLw90lfZSeDIRKe0pewIUW1xTBwUQBzbTFr:j7oeLiDIG+MPE6c2Qz0RKTYv1qdRr

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2908-2-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2608-5-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2608-6-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2908-13-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1480-67-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1480-68-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2908-69-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2908-158-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2608	2908	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe	30
PID 2908 wrote to memory of 2608	2908	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe	30
PID 2908 wrote to memory of 2608	2908	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe	30
PID 2908 wrote to memory of 2608	2908	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe	30
PID 2908 wrote to memory of 1480	2908	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe	32
PID 2908 wrote to memory of 1480	2908	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe	32
PID 2908 wrote to memory of 1480	2908	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe	32
PID 2908 wrote to memory of 1480	2908	Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe	32

C:\Users\Admin\AppData\Local\Temp\Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe
"C:\Users\Admin\AppData\Local\Temp\Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe
  C:\Users\Admin\AppData\Local\Temp\Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe
  C:\Users\Admin\AppData\Local\Temp\Virus.Autorun.ATA_virussign.com_cd32da2cae57c30b9b3b3b5492c72920.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A465.CE6

Filesize
1KB

MD5
89a421048aa5aec5aaf0835352ee1be2

SHA1
47539fba8fc0db0e7437c990f0806682ace21d6e

SHA256
2ba032748cace563fa1c33728df74d9d2a81d58a0281222dca75b8db1f47600a

SHA512
3bf3a3c0ac4b9b8422b991635abc5a53185d7e580c0df4a8c054569ab02d2d1b052b2dde4d69338226d24d491d865d782fa443445ade3f4c7bc483fd2f303369

Download Submit
C:\Users\Admin\AppData\Roaming\A465.CE6

Filesize
600B

MD5
6525cceb7b4839517eeb8100392fe70e

SHA1
d04002acf24f2c49b1fc764bfa0163b9926da108

SHA256
8dec00aa10284bb34958ee2d148a9bc3485eb6c4e638907cf0029ba93323af95

SHA512
b248e13826afaea64ec501d905ccd9285250c2022a26e6f700b3dfb88d853a99699c25bcab60970d7a8c63c675e6d681fcdba171b9c8a3d85c3baa1774b13118

Download Submit
C:\Users\Admin\AppData\Roaming\A465.CE6

Filesize
996B

MD5
e95223758a91eb484ac5055e63386a91

SHA1
b6cf8a0de304e3652d4d9606475f6d8b2485be09

SHA256
768c422b0054087086a761d0e031f273909f098ec195bce47bdb36dbb126a415

SHA512
adb938cfb44619e14e6bbb1241267fb7827ae241b31ecf81b3e95cb0bbd3b76a0133b27ec0dd3b132cfadf9ddf8b49a12d5faf813b9b7de7080d5c2ecc8198da

Download Submit
memory/1480-67-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1480-68-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-6-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-1-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-2-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-69-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-158-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads