e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbf

General

Target

e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
Size

171KB
MD5

e4bab18853c1124af84cb34830a25940
SHA1

077cc65709ffe3b561ab773e1d3a6703e40ab8ba
SHA256

e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbf
SHA512

3b83848337547eb2394fa8024c84a297384f5e7d95d3e10a91d0269f770c27991eb106fb7496a8f5324ad26cc1dc269e662d225440006449cc97088e7824433e
SSDEEP

3072:rZcFmpOW3uUMKH83ECl9Zsows7T+gVTQ4e+9Ec0Daq56UfEvnbi:ln3NM2jC2ows7iuTJe+9E/ai61b

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\883E8\\AC432.exe"	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2776-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2848-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2848-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1548-123-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1548-122-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2848-124-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/2848-290-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2776	2848	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	31
PID 2848 wrote to memory of 2776	2848	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	31
PID 2848 wrote to memory of 2776	2848	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	31
PID 2848 wrote to memory of 2776	2848	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	31
PID 2848 wrote to memory of 1548	2848	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	33
PID 2848 wrote to memory of 1548	2848	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	33
PID 2848 wrote to memory of 1548	2848	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	33
PID 2848 wrote to memory of 1548	2848	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	33

C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
"C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
  C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe startC:\Program Files (x86)\LP\32F8\5C6.exe%C:\Program Files (x86)\LP\32F8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
  C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe startC:\Program Files (x86)\E8C76\lvvm.exe%C:\Program Files (x86)\E8C76
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\883E8\8C76.83E

Filesize
996B

MD5
921f58acb352f39b1132ca47618deb63

SHA1
04f0343dfbb53c0da5a38ffb038ab4d93766bdd4

SHA256
44ef93d43f9900301b332b8e34887e3e78cc504d7a884e5d199b2a38978206d7

SHA512
ba5a0f63f4575504fdcc5e9bd45b4f5fb05f03558ad404ac4e86dd91710b8adfd1451faff40ed3788e2301002b3fe67758992048385ea53838383951465e352a

Download Submit
C:\Users\Admin\AppData\Roaming\883E8\8C76.83E

Filesize
600B

MD5
1ff3266642ae813964c15c4e02554a65

SHA1
03abf819b2c59989f67913a2f6f22f4f8dc4db7c

SHA256
05b61ea561b97376a0b208ba2dcac46e5f2435a2992317d395fdd7013e3c0ddd

SHA512
297f4b818bd282ae6d4bf86e621c22f15f31c6e228aa5fdea4498f00a4330951309ba4b6fa93d25e7c43e6dc76212162d953c012277a6c3725cb41d35ee6bd4b

Download Submit
C:\Users\Admin\AppData\Roaming\883E8\8C76.83E

Filesize
1KB

MD5
dc2b437c5c2d41b70e7453fd0885cdf3

SHA1
8181fbc9760a509525bd0dcc7e5d82d068db9342

SHA256
a140a9902cec45934c8d0a213054aa27f3401a54a3608e87d294f3292a96744e

SHA512
5f51c57b95f01a96347acf4b054fb198bba8a7ad527833e18f6d04b7ac1b0668761872a62967407d94cfbdf286c1b3687541cc167c6f8fc59a1bf806aceb7c48

Download Submit
memory/1548-122-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1548-123-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2776-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2776-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2848-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2848-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2848-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2848-124-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2848-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2848-290-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads