408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefc

General

Target

408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe
Size

207KB
MD5

eaa97e865f670ddc71c5f5f11458bbe0
SHA1

6043365fd12de995fd7d2ffd800fc0e8135e9339
SHA256

408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefc
SHA512

ddaf9adb06119d9ac127bdec9b4e5a70f86721683852300b1ab0ff8aa4d989760c989f6ccd353f04180432320ff9ca7afdba881b7f49389e94dd3389e152e9ce
SSDEEP

6144:qM1pNHjExfP9qwK+N6PTAIBpO06u4Oxb1fBg0aUWY4XV:qM1nHjqflqk2pO06tO91pg0bW

Score

10^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process
PID 2532 set thread context of 0	2532	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe
PID 1264 set thread context of 0	1264	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe
PID 1912 set thread context of 0	1912	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2532-2-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1264-5-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1264-7-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2532-15-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2532-79-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1912-81-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1912-82-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2532-182-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1264	2532	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe	30
PID 2532 wrote to memory of 1264	2532	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe	30
PID 2532 wrote to memory of 1264	2532	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe	30
PID 2532 wrote to memory of 1264	2532	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe	30
PID 2532 wrote to memory of 1912	2532	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe	32
PID 2532 wrote to memory of 1912	2532	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe	32
PID 2532 wrote to memory of 1912	2532	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe	32
PID 2532 wrote to memory of 1912	2532	408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe	32

C:\Users\Admin\AppData\Local\Temp\408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe
"C:\Users\Admin\AppData\Local\Temp\408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe
  C:\Users\Admin\AppData\Local\Temp\408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe
  C:\Users\Admin\AppData\Local\Temp\408023671a9857e42aa0945b83c667ba2b4bd458c97d03be1220bb6b63d7aefcN.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A634.55E

Filesize
1KB

MD5
ac0da61967c75c098e4ed2c5c632d133

SHA1
e9a81cbc8252bd42005ad88de583dedb9d7707f9

SHA256
f337579fc2135a419c73d00b189589be9715fd59ef73f1e498c4d808aa2c3856

SHA512
a04f11147c1f1b11cfdc8964d3cb36ec065c5b516e1b5b94229122f2551d385d0267c4e08e7b239ad6b73182d719b2027fe5e67507a4bf0cab16ab52b6cc8f4a

Download Submit
C:\Users\Admin\AppData\Roaming\A634.55E

Filesize
600B

MD5
a37c70e72ecf7065c5bb536a1c05c546

SHA1
1624c8a0eb0cbfda8270db8e316972dcc1e161de

SHA256
46470308357acbf1dfcc67f23cf8186f09ec0cc2aec1522b201c5079ba342efd

SHA512
72eeec32b5972d10f259700085aa0325c3dfe245a4aea77c87741139675f79c25474fe115f749fbec6a87d2097b8aa6e2efd02cf3a63021371bf7f1139cef595

Download Submit
C:\Users\Admin\AppData\Roaming\A634.55E

Filesize
996B

MD5
aaeee92a052c20887ea282789257c561

SHA1
b5923ff5ff779c5c35b6dd9772224eb52711cf1c

SHA256
35c702fb8913e24ad6ba60e547efddbbad825b60362e33cf0f0ff09b9e081a8f

SHA512
de386cc5e6543c515abc4d53af19c656b5d392781c3aeb123fe4ae9bf88a7366e68cf36711ba9b258a9677354ce280ed6ee236f53be7e381dc3f2a4d25bdce46

Download Submit
memory/1264-5-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1264-7-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1912-81-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1912-82-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2532-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2532-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2532-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2532-79-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2532-182-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads