3a16c941223ae24e33b62e925575669a52f7993765aadf075a8bea5decd8a836

Analysis

max time kernel
118s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
19-01-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Size

1.6MB
MD5

79400b1fd740d9cb7ec7c2c2e9a7d618
SHA1

8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
SHA256

556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
SHA512

3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

11111.exe

pid process

2096 11111.exe

pid	process
2096	11111.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

11111.exe

pid process

2096 11111.exe
2096 11111.exe
2096 11111.exe
2096 11111.exe

flow	ioc
8	ip-api.com

pid	process
2096	11111.exe
2096	11111.exe
2096	11111.exe
2096	11111.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

61e7501db65f3_Tue23c7b395c3.exe

description	pid	process	target process
PID 3500 wrote to memory of 2096	3500	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 3500 wrote to memory of 2096	3500	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 3500 wrote to memory of 2096	3500	61e7501db65f3_Tue23c7b395c3.exe	11111.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11111.exe
MD5
d0527733abcc5c58735e11d43061b431

SHA1
28de9d191826192721e325787b8a50a84328cffd

SHA256
b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

SHA512
7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe
MD5
d0527733abcc5c58735e11d43061b431

SHA1
28de9d191826192721e325787b8a50a84328cffd

SHA256
b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

SHA512
7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
1260763403cd6c8c8f71f3f29acc4744

SHA1
33bd943683ffe7ce5ca4f6018f1071b8a6fa0adf

SHA256
59c8f656bc1871e425a8610af17dc1e9794f0345876f04254d4b87855533fe19

SHA512
4fb6b69d1da1958d0d3cee299099dc2048790bbf1eea1958bb75d5896362472261b227eca1e2084b449cb0d2bd152fbf337ed4fb4cb9ad6816670159b534ca79

Download Submit