63f646a129e54f941bff7d7840955ac9d1f01cec56bcc1d0772134ae0ea254fb

Analysis

max time kernel
151s
max time network
194s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63f646a129e54f941bff7d7840955ac9d1f01cec56bcc1d0772134ae0ea254fb.exe
Size

809KB
MD5

f585aea21cc735aa83fb93b1f95339ac
SHA1

202b156a1812ae95b70827c15140d44d7ee9febf
SHA256

63f646a129e54f941bff7d7840955ac9d1f01cec56bcc1d0772134ae0ea254fb
SHA512

674670227b4641cf8e859b53fb0b1b44e2dcecbf0d4efca4c5fdc6f0ff1bd285589ad1a04cb6d498f431f77ec45388875121595a6c00e84fdbd0136e1256e29e
SSDEEP

24576:YaBM42lo1i05NjJ2tsperkXfHUAarbYRiM7:3iC1/5RJ0YTfH3Riq

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1372-54-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/1372-56-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/1372-58-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/1372-59-0x0000000000400000-0x000000000063E000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

63f646a129e54f941bff7d7840955ac9d1f01cec56bcc1d0772134ae0ea254fb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	63f646a129e54f941bff7d7840955ac9d1f01cec56bcc1d0772134ae0ea254fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\63f646a129e54f941bff7d7840955ac9d1f01cec56bcc1d0772134ae0ea254fb.exe"	63f646a129e54f941bff7d7840955ac9d1f01cec56bcc1d0772134ae0ea254fb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\63f646a129e54f941bff7d7840955ac9d1f01cec56bcc1d0772134ae0ea254fb.exe
"C:\Users\Admin\AppData\Local\Temp\63f646a129e54f941bff7d7840955ac9d1f01cec56bcc1d0772134ae0ea254fb.exe"
1⤵
- Adds Run key to start application
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1372-54-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1372-56-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1372-57-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1372-58-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1372-59-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download