Malware Analysis Report

2025-08-05 23:33

Sample ID 250119-xykr9a1qgv
Target e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe
SHA256 e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fc
Tags
upx credential_access discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fc

Threat Level: Shows suspicious behavior

The file e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx credential_access discovery persistence spyware stealer

Credentials from Password Stores: Windows Credential Manager

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 19:15

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 19:15

Reported

2025-01-19 19:17

Platform

win7-20241010-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\videodrv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe" C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe" C:\Windows\videodrv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\exe.tmp C:\Windows\videodrv.exe N/A
File opened for modification C:\Windows\zip.tmp C:\Windows\videodrv.exe N/A
File opened for modification C:\Windows\eml.tmp C:\Windows\videodrv.exe N/A
File created C:\Windows\videodrv.exe C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe N/A
File opened for modification C:\Windows\videodrv.exe C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe N/A
File created C:\Windows\videodrv.exe C:\Windows\videodrv.exe N/A
File opened for modification C:\Windows\videodrv.exe C:\Windows\videodrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\videodrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe

"C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe"

C:\Windows\videodrv.exe

C:\Windows\videodrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 tcp

Files

memory/3056-0-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Windows\videodrv.exe

MD5 224c306b78a6e3fb7d042c3be3888790
SHA1 048d839a99a4d8228a7fde54fe2b95e8c4e09999
SHA256 e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fc
SHA512 44d8de49fef4d9a95123b0c2ef4cf9529f133b142c8cf875a5cd2fd6e5137239ff6e6c6de45ea6a8872ed308243dbfd822f64937e38eeb94d4423fe09cd21541

memory/1636-15-0x0000000000400000-0x0000000000479000-memory.dmp

memory/3056-14-0x0000000000400000-0x0000000000479000-memory.dmp

memory/3056-13-0x0000000000220000-0x0000000000299000-memory.dmp

memory/1636-16-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Windows\eml.tmp

MD5 91c3cdc1653ba5675ea4df74281f469c
SHA1 114a183104130407751193c8c4423e72af2bd8ca
SHA256 4f0839ef8ef74df631cd7a0d83228c90810f420092d3cafc8e68b48c7a17f335
SHA512 4f764c4e4934c8d467208ea25fb557d76d8ceea9093863718959ffabdd8b979bc46927d26b033f1b861c144e0cb804c946a0b3fce6dd39961cb415b18fc0e0e6

memory/1636-102-0x0000000000400000-0x0000000000479000-memory.dmp

memory/1636-127-0x0000000000400000-0x0000000000479000-memory.dmp

memory/1636-128-0x0000000000400000-0x0000000000479000-memory.dmp

memory/1636-129-0x0000000000400000-0x0000000000479000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 19:15

Reported

2025-01-19 19:19

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\videodrv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe" C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe" C:\Windows\videodrv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\videodrv.exe C:\Windows\videodrv.exe N/A
File opened for modification C:\Windows\videodrv.exe C:\Windows\videodrv.exe N/A
File opened for modification C:\Windows\exe.tmp C:\Windows\videodrv.exe N/A
File opened for modification C:\Windows\zip.tmp C:\Windows\videodrv.exe N/A
File opened for modification C:\Windows\eml.tmp C:\Windows\videodrv.exe N/A
File created C:\Windows\videodrv.exe C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe N/A
File opened for modification C:\Windows\videodrv.exe C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\videodrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe

"C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe"

C:\Windows\videodrv.exe

C:\Windows\videodrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 151.50.22.2.in-addr.arpa udp
US 8.8.8.8:53 245.131.30.184.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 inbound-reply.s7.exacttarget.com udp
US 136.147.189.244:25 inbound-reply.s7.exacttarget.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.153.26:25 smtp.google.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
FI 142.250.150.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
SG 74.125.200.26:25 tcp

Files

memory/3608-0-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Windows\videodrv.exe

MD5 224c306b78a6e3fb7d042c3be3888790
SHA1 048d839a99a4d8228a7fde54fe2b95e8c4e09999
SHA256 e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fc
SHA512 44d8de49fef4d9a95123b0c2ef4cf9529f133b142c8cf875a5cd2fd6e5137239ff6e6c6de45ea6a8872ed308243dbfd822f64937e38eeb94d4423fe09cd21541

memory/3608-10-0x0000000000400000-0x0000000000479000-memory.dmp

memory/3340-11-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Windows\eml.tmp

MD5 b3a1ace3f7691d3795f2d59405add79e
SHA1 7b0f0794a4fc2f3f7596ebec298cfbe7d333f773
SHA256 d814662cacb0d7bb84edd2f03713d1338303152d968f5bc9f31ea84f34fb2cb4
SHA512 fd54826424d3dab1c66846b718e8f3efe0984c4c984325e8c9082e3306fbfcd2c700a50045a0b609dd6eceeb41825e8b756f7e5a4887706a876d085dc0cf75cd

C:\Windows\eml.tmp

MD5 dd3d6f89a870a89599c3224ba2f77cde
SHA1 72471eabc5bd90688291e501d27faa58b8065d41
SHA256 446432d1f0b4d0c102745a09a5265f991053adc3edc28360f1f4882834938cc6
SHA512 21602bfa9da4e6632c0cbf97d08ffbeb5ce2415050d7c04ba8dbad5c4e72b30f0c225d563ad56d341580e04d64da24a551eb22af95d404a3790f19349e488d32

C:\Windows\eml.tmp

MD5 03eaafad1ab97601f872c8cb20c9afce
SHA1 758d17d6924a87d16388f03b445bad4739d3603e
SHA256 0c8302216f046043fe7238ef1a00cba166a77fb85e9ab89dc1d7f9d178bcff6f
SHA512 72f1a2ac56bac36d92b6875ca5b195e19d387c6ce0d92cadd0c596daaf3c2e16d3d9e8faafc0f7c1d9538a39c0355fc997d6db80897fd421bfa72c4e8ec8f30d

C:\Windows\eml.tmp

MD5 f4d0cfeae265e06a0de91365c9e73413
SHA1 4b651a48d37412c1849c181dea91feaa4c5f6a72
SHA256 b80e48ff761536872ea8c220967834066ece37a74eae3634d39856be0464cba4
SHA512 4be545394bb6284624405c759c5b7655161352d0e0a92a87b4178a57ae75de47c930c9499e662f98b4dcddb8371bfaa811c4bdb608bb37b994e17fb3e75b4571

memory/3340-219-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Windows\eml.tmp

MD5 8a2ecd274bcc7ae885f6e8f2eab5a639
SHA1 5215b6dd17bb850fa19f73e1e01a72cdd012cb6d
SHA256 a1f719a8c3b6061a5fa0481fc21b9908ddad9ca9e60cbf5b7e45cd1bf89225fb
SHA512 c339c681561234c902503bf3040a3a84b4ebb99c754ecc682984acd11c9a9641f85ead5d599b7a958d3c68d5a330674c466cefa5d4ee88a1f77175dd1f1b1712

memory/3340-248-0x0000000000400000-0x0000000000479000-memory.dmp

memory/3340-249-0x0000000000400000-0x0000000000479000-memory.dmp

memory/3340-250-0x0000000000400000-0x0000000000479000-memory.dmp

memory/3340-251-0x0000000000400000-0x0000000000479000-memory.dmp