7zS850A099E.zip

General
Target

7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe

Filesize

1MB

Completed

19-01-2022 08:14

Score
8/10
MD5

79400b1fd740d9cb7ec7c2c2e9a7d618

SHA1

8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3

SHA256

556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f

Malware Config
Signatures 6

Filter: none

Collection
Credential Access
  • Executes dropped EXE
    11111.exe

    Reported IOCs

    pidprocess
    209611111.exe
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral22/files/0x00080000000220b9-130.datupx
    behavioral22/files/0x00080000000220b9-131.datupx
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    8ip-api.com
  • Suspicious behavior: EnumeratesProcesses
    11111.exe

    Reported IOCs

    pidprocess
    209611111.exe
    209611111.exe
    209611111.exe
    209611111.exe
  • Suspicious use of WriteProcessMemory
    61e7501db65f3_Tue23c7b395c3.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3500 wrote to memory of 2096350061e7501db65f3_Tue23c7b395c3.exe11111.exe
    PID 3500 wrote to memory of 2096350061e7501db65f3_Tue23c7b395c3.exe11111.exe
    PID 3500 wrote to memory of 2096350061e7501db65f3_Tue23c7b395c3.exe11111.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"
    Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2096
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\11111.exe

                        MD5

                        d0527733abcc5c58735e11d43061b431

                        SHA1

                        28de9d191826192721e325787b8a50a84328cffd

                        SHA256

                        b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

                        SHA512

                        7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

                      • C:\Users\Admin\AppData\Local\Temp\11111.exe

                        MD5

                        d0527733abcc5c58735e11d43061b431

                        SHA1

                        28de9d191826192721e325787b8a50a84328cffd

                        SHA256

                        b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

                        SHA512

                        7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

                      • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

                        MD5

                        1260763403cd6c8c8f71f3f29acc4744

                        SHA1

                        33bd943683ffe7ce5ca4f6018f1071b8a6fa0adf

                        SHA256

                        59c8f656bc1871e425a8610af17dc1e9794f0345876f04254d4b87855533fe19

                        SHA512

                        4fb6b69d1da1958d0d3cee299099dc2048790bbf1eea1958bb75d5896362472261b227eca1e2084b449cb0d2bd152fbf337ed4fb4cb9ad6816670159b534ca79