b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f

Analysis

max time kernel
152s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe
Size

190KB
MD5

028f1ded60a58e259f3f2baf1457ef24
SHA1

65e03ef7f75de4300cc89b4d7edb2bfc724f80ba
SHA256

b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f
SHA512

1b1d4df4af4d98d5749cc1c0cbac59d1945197a9b649f8de081ee111f1948d9bc2d1f2aa4f8a56906bd33548de780e485ed4f7debf379e62b9f96de7bc82c870
SSDEEP

3072:tkSo00cjxch6RVPlM7oX0TwMYeprNppILfKZrCl7Ua:tJ+YVNfCrXxpp6yZ4

Score

8^/10

spyware stealer upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1032-55-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1996-59-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1032-61-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2016-65-0x0000000000400000-0x000000000044E000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1996	1032	b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe	27
PID 1032 wrote to memory of 1996	1032	b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe	27
PID 1032 wrote to memory of 1996	1032	b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe	27
PID 1032 wrote to memory of 1996	1032	b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe	27
PID 1032 wrote to memory of 2016	1032	b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe	29
PID 1032 wrote to memory of 2016	1032	b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe	29
PID 1032 wrote to memory of 2016	1032	b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe	29
PID 1032 wrote to memory of 2016	1032	b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe	29

C:\Users\Admin\AppData\Local\Temp\b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe
"C:\Users\Admin\AppData\Local\Temp\b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe
  C:\Users\Admin\AppData\Local\Temp\b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe
  C:\Users\Admin\AppData\Local\Temp\b6470547277fdb7e1d3f44159c79512ca2de34cfaf30819f4c062547ad87576f.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1032-55-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1032-56-0x00000000002F6000-0x0000000000313000-memory.dmp

Filesize
116KB

Download
memory/1032-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1032-62-0x00000000002F6000-0x0000000000313000-memory.dmp

Filesize
116KB

Download
memory/1996-59-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1996-60-0x00000000005D6000-0x00000000005F3000-memory.dmp

Filesize
116KB

Download
memory/2016-65-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2016-66-0x0000000000616000-0x0000000000633000-memory.dmp

Filesize
116KB

Download