932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282

Analysis

max time kernel
126s
max time network
75s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:38

Target

932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe
Size

200KB
MD5

e06cb24456c5f35199fade662cd0906b
SHA1

1f8758dbcd563d6c76860d16e563b6e62fb6342b
SHA256

932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282
SHA512

56d15c526e73d20a8252652707e1ac574e6ad4eef5254aa295086bae7e38d70d635b81a7958431519cbcacdd9a8f5f3a85602d42bfdfca79b9e5113fa3baafc2
SSDEEP

3072:qoTRAGJselmx5SYJ2KD/PxnDcDNILKa98t5bxHpRgnKayJD63zk:qoTRxse07S0bbxIN2S/JRgPy94

Score

8^/10

spyware stealer upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1436-60-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/588-63-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1120-70-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe

description	pid	process	target process
PID 1436 wrote to memory of 588	1436	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe
PID 1436 wrote to memory of 588	1436	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe
PID 1436 wrote to memory of 588	1436	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe
PID 1436 wrote to memory of 588	1436	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe
PID 1436 wrote to memory of 1120	1436	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe
PID 1436 wrote to memory of 1120	1436	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe
PID 1436 wrote to memory of 1120	1436	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe
PID 1436 wrote to memory of 1120	1436	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe	932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe

C:\Users\Admin\AppData\Local\Temp\932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe
"C:\Users\Admin\AppData\Local\Temp\932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe
C:\Users\Admin\AppData\Local\Temp\932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe startC:\Program Files (x86)\LP\F287\138.exe%C:\Program Files (x86)\LP\F287
2⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe
C:\Users\Admin\AppData\Local\Temp\932a64337784ca39c0a50e1c57b6a7ef5a33f1bd454986986914f4baaf7c6282.exe startC:\Users\Admin\AppData\Roaming\7A002\970F2.exe%C:\Users\Admin\AppData\Roaming\7A002
2⤵
PID:1120

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/588-62-0x0000000000581000-0x0000000000597000-memory.dmp

Filesize
88KB

Download
memory/588-57-0x0000000000000000-mapping.dmp

Download
memory/588-63-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/588-64-0x0000000000581000-0x0000000000597000-memory.dmp

Filesize
88KB

Download
memory/1120-65-0x0000000000000000-mapping.dmp

Download
memory/1120-71-0x0000000000591000-0x00000000005A7000-memory.dmp

Filesize
88KB

Download
memory/1120-70-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1120-69-0x0000000000591000-0x00000000005A7000-memory.dmp

Filesize
88KB

Download
memory/1436-60-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1436-68-0x0000000000641000-0x0000000000657000-memory.dmp

Filesize
88KB

Download
memory/1436-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1436-55-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1436-61-0x0000000000641000-0x0000000000657000-memory.dmp

Filesize
88KB

Download
memory/1436-56-0x0000000000641000-0x0000000000657000-memory.dmp

Filesize
88KB

Download