d23739e6d2df473e5a299702c7e54d361b552c0d148f365a199eac242721f1c1

Analysis

max time kernel
177s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 04:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d23739e6d2df473e5a299702c7e54d361b552c0d148f365a199eac242721f1c1.exe
Size

1.1MB
MD5

4453f692c2062af60be003b7a61e7d6a
SHA1

9955ea292c15e32e1f16a4e28154d20aafe81033
SHA256

d23739e6d2df473e5a299702c7e54d361b552c0d148f365a199eac242721f1c1
SHA512

578c420d16604421d19924fb9026b5b6b1c8dddd14d3c9082dde371882ee829d9f2c5b3fb5f4f33ffa62237ace78a98cc659b9eae9dfae7ce1bc59ec1cc2ea67
SSDEEP

24576:h2B/px66T9tEern9hV+JwpzOU+T0qtFUYDiMMLe:hBo9tVJ6TDFUYDiMMa

Score

8^/10

spyware stealer upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5080-132-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral2/memory/5080-133-0x0000000000400000-0x0000000000521000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~2\is240601453.log	d23739e6d2df473e5a299702c7e54d361b552c0d148f365a199eac242721f1c1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5080	d23739e6d2df473e5a299702c7e54d361b552c0d148f365a199eac242721f1c1.exe
5080	d23739e6d2df473e5a299702c7e54d361b552c0d148f365a199eac242721f1c1.exe

C:\Users\Admin\AppData\Local\Temp\d23739e6d2df473e5a299702c7e54d361b552c0d148f365a199eac242721f1c1.exe
"C:\Users\Admin\AppData\Local\Temp\d23739e6d2df473e5a299702c7e54d361b552c0d148f365a199eac242721f1c1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5080-132-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/5080-133-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download