66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e

Analysis

max time kernel
203s
max time network
225s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e.exe
Size

916KB
MD5

e58f1444c12e6c32960bc69ff658dbb6
SHA1

8a54e35fb711c01cc04fc9ed5845b2eea11a3ddd
SHA256

66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e
SHA512

f707ec4d23dd4faac4491c29f611b1573c36850b745b6279691768f054785db1ed6bbc081eee171bea2025e6badc425912c60c65b52e1277f5a2775edca25c9b
SSDEEP

24576:AJnav4dbkHXlQTlACio/uyy5150XxiRE/gw:cav48X+TlAfUoteF/H

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

3820 setup.exe

pid	process
3820	setup.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1648-132-0x00000000003D0000-0x0000000000686000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\setup.exe	upx
C:\Users\Admin\AppData\Local\Temp\setup.exe	upx
behavioral2/memory/1648-136-0x00000000003D0000-0x0000000000686000-memory.dmp	upx
behavioral2/memory/3820-137-0x0000000000C10000-0x0000000000EC6000-memory.dmp	upx
behavioral2/memory/3820-138-0x0000000000C10000-0x0000000000EC6000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e.exesetup.exe

pid	process
1648	66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e.exe
1648	66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e.exe
3820	setup.exe
3820	setup.exe
3820	setup.exe
3820	setup.exe
3820	setup.exe
3820	setup.exe
3820	setup.exe
3820	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e.exe

description	pid	process	target process
PID 1648 wrote to memory of 3820	1648	66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e.exe	setup.exe
PID 1648 wrote to memory of 3820	1648	66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e.exe	setup.exe
PID 1648 wrote to memory of 3820	1648	66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e.exe
"C:\Users\Admin\AppData\Local\Temp\66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\setup.exe
C:\Users\Admin\AppData\Local\Temp\setup.exe relaunch
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
916KB

MD5
e58f1444c12e6c32960bc69ff658dbb6

SHA1
8a54e35fb711c01cc04fc9ed5845b2eea11a3ddd

SHA256
66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e

SHA512
f707ec4d23dd4faac4491c29f611b1573c36850b745b6279691768f054785db1ed6bbc081eee171bea2025e6badc425912c60c65b52e1277f5a2775edca25c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
916KB

MD5
e58f1444c12e6c32960bc69ff658dbb6

SHA1
8a54e35fb711c01cc04fc9ed5845b2eea11a3ddd

SHA256
66646db7a15ea28af0e73e11f56e0bf2e97a8d22c160fb92917cf48ecc34c20e

SHA512
f707ec4d23dd4faac4491c29f611b1573c36850b745b6279691768f054785db1ed6bbc081eee171bea2025e6badc425912c60c65b52e1277f5a2775edca25c9b

Download Submit
memory/1648-132-0x00000000003D0000-0x0000000000686000-memory.dmp

Filesize
2.7MB

Download
memory/1648-136-0x00000000003D0000-0x0000000000686000-memory.dmp

Filesize
2.7MB

Download
memory/3820-133-0x0000000000000000-mapping.dmp

Download
memory/3820-137-0x0000000000C10000-0x0000000000EC6000-memory.dmp

Filesize
2.7MB

Download
memory/3820-138-0x0000000000C10000-0x0000000000EC6000-memory.dmp

Filesize
2.7MB

Download