4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad

General

Target

4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe
Size

916KB
MD5

cf965508c61cba05253c4280972dcab4
SHA1

9e3296b6091ba1a05213e84dc72ecdf2936c2f9a
SHA256

4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad
SHA512

0b7be7a57a828a3a2bfdff182405714046a70bb4dd11f6232c7c24dcd59576602aa6382c8c99e4aa66ed9c1017a2a9296ef8da0c98828a7617ef62fe47a3615e
SSDEEP

24576:mJnav4dbkHXlQTlACio/uyy5150XxiRE/z0:mav48X+TlAfUoteF/4

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

872 setup.exe

pid	process
872	setup.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1628-55-0x0000000001220000-0x00000000014D6000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\setup.exe	upx
C:\Users\Admin\AppData\Local\Temp\setup.exe	upx
C:\Users\Admin\AppData\Local\Temp\setup.exe	upx
behavioral1/memory/1628-61-0x0000000001220000-0x00000000014D6000-memory.dmp	upx
behavioral1/memory/872-62-0x0000000001120000-0x00000000013D6000-memory.dmp	upx
behavioral1/memory/872-63-0x0000000001120000-0x00000000013D6000-memory.dmp	upx
behavioral1/memory/872-64-0x0000000001120000-0x00000000013D6000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe

pid process

1628 4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exesetup.exe

pid	process
1628	4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe
1628	4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe
872	setup.exe
872	setup.exe
872	setup.exe
872	setup.exe
872	setup.exe
872	setup.exe
872	setup.exe
872	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe

description	pid	process	target process
PID 1628 wrote to memory of 872	1628	4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe	setup.exe
PID 1628 wrote to memory of 872	1628	4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe	setup.exe
PID 1628 wrote to memory of 872	1628	4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe	setup.exe
PID 1628 wrote to memory of 872	1628	4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe	setup.exe
PID 1628 wrote to memory of 872	1628	4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe	setup.exe
PID 1628 wrote to memory of 872	1628	4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe	setup.exe
PID 1628 wrote to memory of 872	1628	4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe
"C:\Users\Admin\AppData\Local\Temp\4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\setup.exe
C:\Users\Admin\AppData\Local\Temp\setup.exe relaunch
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
916KB

MD5
cf965508c61cba05253c4280972dcab4

SHA1
9e3296b6091ba1a05213e84dc72ecdf2936c2f9a

SHA256
4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad

SHA512
0b7be7a57a828a3a2bfdff182405714046a70bb4dd11f6232c7c24dcd59576602aa6382c8c99e4aa66ed9c1017a2a9296ef8da0c98828a7617ef62fe47a3615e

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
916KB

MD5
cf965508c61cba05253c4280972dcab4

SHA1
9e3296b6091ba1a05213e84dc72ecdf2936c2f9a

SHA256
4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad

SHA512
0b7be7a57a828a3a2bfdff182405714046a70bb4dd11f6232c7c24dcd59576602aa6382c8c99e4aa66ed9c1017a2a9296ef8da0c98828a7617ef62fe47a3615e

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
916KB

MD5
cf965508c61cba05253c4280972dcab4

SHA1
9e3296b6091ba1a05213e84dc72ecdf2936c2f9a

SHA256
4df638a3b744df8981c53a7f6ebb39aa1b979aad51be1f273f7cd94ecd5966ad

SHA512
0b7be7a57a828a3a2bfdff182405714046a70bb4dd11f6232c7c24dcd59576602aa6382c8c99e4aa66ed9c1017a2a9296ef8da0c98828a7617ef62fe47a3615e

Download Submit
memory/872-57-0x0000000000000000-mapping.dmp

Download
memory/872-62-0x0000000001120000-0x00000000013D6000-memory.dmp

Filesize
2.7MB

Download
memory/872-63-0x0000000001120000-0x00000000013D6000-memory.dmp

Filesize
2.7MB

Download
memory/872-64-0x0000000001120000-0x00000000013D6000-memory.dmp

Filesize
2.7MB

Download
memory/1628-54-0x00000000754C1000-0x00000000754C3000-memory.dmp

Filesize
8KB

Download
memory/1628-55-0x0000000001220000-0x00000000014D6000-memory.dmp

Filesize
2.7MB

Download
memory/1628-61-0x0000000001220000-0x00000000014D6000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads