54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8

General

Target

54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe
Size

68KB
MD5

0e4a7e06790b055cd2ba00c41beaa2e0
SHA1

945cb0eeab367b62af6cd054917eb1c5d8999cd0
SHA256

54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8
SHA512

1e760749104137c5e06196b773c02c086712b44d5bfa65c238cfcace988eae2d680795941a51a0a5dc767d707c03792a3650f299fd14e460602d2f9a675b5f41
SSDEEP

1536:t2hsEQfjdYs2hsEQfjdYL2hsEQfjdYs2hsEQfjdYi:tdjusdjuLdjusdjui

Score

7^/10

credential_access discovery persistence spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 1 IoCs

Processes:

videodrv.exe

pid	Process
4552	videodrv.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exevideodrv.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe"	54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe"	videodrv.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1372-0-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/files/0x000c000000023b27-4.dat	upx
behavioral2/memory/1372-10-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/4552-11-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/4552-216-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/4552-245-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/4552-246-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/4552-247-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/4552-248-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Drops file in Windows directory 7 IoCs

Processes:

videodrv.exe54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe

description	ioc	Process
File opened for modification	C:\Windows\zip.tmp	videodrv.exe
File opened for modification	C:\Windows\eml.tmp	videodrv.exe
File created	C:\Windows\videodrv.exe	54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe
File opened for modification	C:\Windows\videodrv.exe	54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe
File created	C:\Windows\videodrv.exe	videodrv.exe
File opened for modification	C:\Windows\videodrv.exe	videodrv.exe
File opened for modification	C:\Windows\exe.tmp	videodrv.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exevideodrv.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	videodrv.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe

description	pid	Process	procid_target
PID 1372 wrote to memory of 4552	1372	54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe	83
PID 1372 wrote to memory of 4552	1372	54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe	83
PID 1372 wrote to memory of 4552	1372	54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe	83

C:\Users\Admin\AppData\Local\Temp\54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe
"C:\Users\Admin\AppData\Local\Temp\54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\videodrv.exe
  C:\Windows\videodrv.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

2

T1555

Credentials from Web Browsers

1

T1555.003

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\eml.tmp

Filesize
2KB

MD5
07c50f324891a0b0cb3014ef8824b89b

SHA1
f16ba2d589e6d307286f3e1ffdb8b3786bd232df

SHA256
67fcd1664d249e2be35d4cacf65de69703a1329c9406ad569a5908ba43f423ff

SHA512
3b811ed4bdad9e92906aee79dea0e4458014516ca877b25d69de00b7b2335bf1bc5ade67db01d18c4902d9cc9269e2c2b0b2465c767977b53cb7e2756300695b

Download Submit
C:\Windows\eml.tmp

Filesize
3KB

MD5
8883d5d70c1dcca534e8326617ac419b

SHA1
bab898102579851d372f1603b3b9587d180624a0

SHA256
8f9917beb1882f06cf924225ed87f5b45b18f0b58614cd6b6e8144afab3ef0b2

SHA512
6b4fe5038c0fa16ad616b30bedaf6a7ef78fdbb98502905f2efe7faecf0fed600332b76fc13ce6ca4fe236bb8562b2fb1562ccb007761e413110551d27d5c1c5

Download Submit
C:\Windows\eml.tmp

Filesize
4KB

MD5
d17f7b02e317da5d27eddb6954b0b35c

SHA1
5de035b017513cb4c9bb3efb18f3e865dbf7d078

SHA256
35dfa8a0804d44ba8e991c0bedf7f7ca8280f34879aed028d99652866b6a9a86

SHA512
df46efc48e119be8930d00645340d05b2d1297f10a6c926b9a4c010171ceff18ebd5889472564df460787a4c0eba8e60a7d53a49c98b4027e39dd9e0946a1366

Download Submit
C:\Windows\eml.tmp

Filesize
1KB

MD5
991730c95b516e2b13dc82fc57deb2e8

SHA1
c0dcc79be1dc365f5677073231af0730493ca82d

SHA256
f58c58e68551914c3d7a0ea3c4600c205c3c52220b61780bedee9936b212cf49

SHA512
b9ae1c661023b284712277e38fec85d3244c2fb247c0f70b4e7c217ba109500279f9c16f9719faa0829da75f10b621c6503a18d1db3b8660ffba60df934bcec8

Download Submit
C:\Windows\eml.tmp

Filesize
1KB

MD5
0d0788e70ebb73c29604082ebf644109

SHA1
c86af330603efbd538c0462bb7a323a54a419f0d

SHA256
832f8a06fcc9b31b45cdca3dafc13c17e53ed758564409ad9c6e130ed67902e8

SHA512
481802fe7fdf38d74dfeeb5f554a48f671129004dcabeb10de3d8cab7542faa80d55f3716030475f2ae6e3c9d7e6e15308e606843b960b99fc76c3d4d74b439f

Download Submit
C:\Windows\videodrv.exe

Filesize
68KB

MD5
0e4a7e06790b055cd2ba00c41beaa2e0

SHA1
945cb0eeab367b62af6cd054917eb1c5d8999cd0

SHA256
54a926ae1b58e435cb4c29908cd219b983997d7ccc22e653a7d21fb23fec2eb8

SHA512
1e760749104137c5e06196b773c02c086712b44d5bfa65c238cfcace988eae2d680795941a51a0a5dc767d707c03792a3650f299fd14e460602d2f9a675b5f41

Download Submit
memory/1372-10-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1372-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4552-11-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4552-216-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4552-245-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4552-246-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4552-247-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4552-248-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads