9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9

Analysis

max time kernel
126s
max time network
74s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:33

Target

9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe
Size

180KB
MD5

13b3cc36b45d4023384add7b62c22b50
SHA1

0721d7d2612230f0b7f06354dcc0411a740281fc
SHA256

9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9
SHA512

6fcafdc56c1830cd4b136c0a9b1dd989a746886abddba19f954daf2ae8a44d4fb90304a9ee85b9cdef178c3c2daffebe1e4793bcfe88b08258fd11cc070bf772
SSDEEP

3072:+pXhv9wHRjZ/41BTxpdQduAGqtzuTOZYnkh9nBea/sleRR:MZOH9ZoTxpqNimYnO9nYaUER

Score

8^/10

spyware stealer upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/828-59-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1176-63-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/612-70-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe

description	pid	process	target process
PID 828 wrote to memory of 1176	828	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe
PID 828 wrote to memory of 1176	828	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe
PID 828 wrote to memory of 1176	828	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe
PID 828 wrote to memory of 1176	828	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe
PID 828 wrote to memory of 612	828	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe
PID 828 wrote to memory of 612	828	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe
PID 828 wrote to memory of 612	828	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe
PID 828 wrote to memory of 612	828	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe	9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe

C:\Users\Admin\AppData\Local\Temp\9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe
"C:\Users\Admin\AppData\Local\Temp\9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Local\Temp\9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe
C:\Users\Admin\AppData\Local\Temp\9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe startC:\Program Files (x86)\LP\3F46\B5D.exe%C:\Program Files (x86)\LP\3F46
2⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe
C:\Users\Admin\AppData\Local\Temp\9c75028299a67e38cb184efc03029f24cec99e525a6d85886ec16a22ac72adb9.exe startC:\Users\Admin\AppData\Roaming\611EF\B493F.exe%C:\Users\Admin\AppData\Roaming\611EF
2⤵
PID:612

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/612-71-0x00000000002F4000-0x000000000030B000-memory.dmp

Filesize
92KB

Download
memory/612-70-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/612-68-0x00000000002F4000-0x000000000030B000-memory.dmp

Filesize
92KB

Download
memory/612-65-0x0000000000000000-mapping.dmp

Download
memory/828-67-0x00000000008E4000-0x00000000008FB000-memory.dmp

Filesize
92KB

Download
memory/828-55-0x00000000008E4000-0x00000000008FB000-memory.dmp

Filesize
92KB

Download
memory/828-56-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/828-54-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/828-59-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/828-60-0x00000000008E4000-0x00000000008FB000-memory.dmp

Filesize
92KB

Download
memory/1176-57-0x0000000000000000-mapping.dmp

Download
memory/1176-64-0x0000000000584000-0x000000000059B000-memory.dmp

Filesize
92KB

Download
memory/1176-63-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1176-61-0x0000000000584000-0x000000000059B000-memory.dmp

Filesize
92KB

Download