6519bb10f4281f4bd54ffbe6d314d7c445979ead9704e3037fbb586d27a382d4

Analysis

max time kernel
131s
max time network
319s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
20-09-2022 04:52

Target

6519BB10F4281F4BD54FFBE6D314D7C445979EAD9704E3037FBB586D27A382D4.exe
Size

5.1MB
MD5

f6984ddaf1db55512dc31fe74fc4ea0f
SHA1

e75f1d6de82768ad4d7375f03bf6edec57e5dc20
SHA256

6519bb10f4281f4bd54ffbe6d314d7c445979ead9704e3037fbb586d27a382d4
SHA512

156c6bec575d632ce2c3847892685a33a482d30fae4009f7cd62af670c92b83046403ebc4747582d3b39ffd664308fff01c5dc6afe6afe3dc4ede2ef8587c053
SSDEEP

98304:443gFPKrJpY+uvx5k9kTbVARa2NXghIJK1s0KUq7+hff/AQwiuxpG0byGXVn:4GGPeY+oxuWbVfX2J8s0KUvtrhuxpG0/

Score

8^/10

spyware stealer upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1584-116-0x0000000000D40000-0x0000000001FF7000-memory.dmp	upx
behavioral2/memory/1584-117-0x0000000000D40000-0x0000000001FF7000-memory.dmp	upx
behavioral2/memory/1584-135-0x0000000000D40000-0x0000000001FF7000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1724	1584	6519BB10F4281F4BD54FFBE6D314D7C445979EAD9704E3037FBB586D27A382D4.exe	66
PID 1584 wrote to memory of 1724	1584	6519BB10F4281F4BD54FFBE6D314D7C445979EAD9704E3037FBB586D27A382D4.exe	66

C:\Users\Admin\AppData\Local\Temp\6519BB10F4281F4BD54FFBE6D314D7C445979EAD9704E3037FBB586D27A382D4.exe
"C:\Users\Admin\AppData\Local\Temp\6519BB10F4281F4BD54FFBE6D314D7C445979EAD9704E3037FBB586D27A382D4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "Get-WmiObject Win32_PortConnector"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1584-116-0x0000000000D40000-0x0000000001FF7000-memory.dmp

Filesize
18.7MB

Download
memory/1584-117-0x0000000000D40000-0x0000000001FF7000-memory.dmp

Filesize
18.7MB

Download
memory/1584-135-0x0000000000D40000-0x0000000001FF7000-memory.dmp

Filesize
18.7MB

Download
memory/1724-118-0x0000000000000000-mapping.dmp

Download
memory/1724-124-0x000001E90FF50000-0x000001E90FF72000-memory.dmp

Filesize
136KB

Download
memory/1724-127-0x000001E928ED0000-0x000001E928F46000-memory.dmp

Filesize
472KB

Download