f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81

General

Target

f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe
Size

712KB
MD5

4156ffea7dc597a8535223e3ace519ce
SHA1

204d517c4f5f8dc23de922362745fab206f260e7
SHA256

f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81
SHA512

4f075e850db67823d2455799e2bf7c309b86cbaa1f3d5fff8b21edca7915c0f7b6c9543a02073fef8a232ba86cc21fd6bbf1f586df39a496cfceef6d553f7c81
SSDEEP

12288:Xj5+W3mgmsKMzfoHR5TcAWxBdGuXhHYGuhMr7WP0smTluq:T5+W3wsTJA2YuUmr7WcsElu

Score

9^/10

Malware Config

Signatures

Nirsoft 6 IoCs

resource	yara_rule
behavioral1/memory/1188-74-0x0000000000400000-0x0000000000425000-memory.dmp	Nirsoft
behavioral1/memory/1780-77-0x000000000043A850-mapping.dmp	Nirsoft
behavioral1/memory/1780-85-0x0000000000400000-0x000000000043D000-memory.dmp	Nirsoft
behavioral1/memory/1188-84-0x0000000000400000-0x0000000000425000-memory.dmp	Nirsoft
behavioral1/memory/1780-86-0x0000000000400000-0x000000000043D000-memory.dmp	Nirsoft
behavioral1/memory/1380-90-0x00000000029F0000-0x0000000002AA2000-memory.dmp	Nirsoft

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1188-58-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1188-60-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1188-62-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1188-70-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1780-71-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1188-74-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1780-73-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1780-76-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1140-80-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1780-83-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1780-85-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1188-84-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1780-86-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1380-90-0x00000000029F0000-0x0000000002AA2000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 1188	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	27
PID 1380 set thread context of 1780	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1188	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1188	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	27
PID 1380 wrote to memory of 1188	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	27
PID 1380 wrote to memory of 1188	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	27
PID 1380 wrote to memory of 1188	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	27
PID 1380 wrote to memory of 1188	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	27
PID 1380 wrote to memory of 1188	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	27
PID 1380 wrote to memory of 1188	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	27
PID 1380 wrote to memory of 1188	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	27
PID 1380 wrote to memory of 1780	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	28
PID 1380 wrote to memory of 1780	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	28
PID 1380 wrote to memory of 1780	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	28
PID 1380 wrote to memory of 1780	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	28
PID 1380 wrote to memory of 1780	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	28
PID 1380 wrote to memory of 1780	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	28
PID 1380 wrote to memory of 1780	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	28
PID 1380 wrote to memory of 1780	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	28
PID 1380 wrote to memory of 1140	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	29
PID 1380 wrote to memory of 1140	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	29
PID 1380 wrote to memory of 1140	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	29
PID 1380 wrote to memory of 1140	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	29
PID 1380 wrote to memory of 1140	1380	f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe	29

C:\Users\Admin\AppData\Local\Temp\f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe
"C:\Users\Admin\AppData\Local\Temp\f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe
  C:\Users\Admin\AppData\Local\Temp\f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe /scomma C:\Users\Admin\AppData\Local\Temp\msg.txt
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe
  C:\Users\Admin\AppData\Local\Temp\f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe /scomma C:\Users\Admin\AppData\Local\Temp\cho.txt
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe
  C:\Users\Admin\AppData\Local\Temp\f8a874217214592ac41407b62da1a6c6e6054ea60a4b4a7c491421c3e4d58b81.exe /scomma C:\Users\Admin\AppData\Local\Temp\mail.txt
  2⤵
  PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-80-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1140-79-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1188-74-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1188-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1188-58-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1188-60-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1188-62-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1188-84-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1188-70-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1380-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1380-69-0x0000000002810000-0x00000000028C2000-memory.dmp

Filesize
712KB

Download
memory/1380-90-0x00000000029F0000-0x0000000002AA2000-memory.dmp

Filesize
712KB

Download
memory/1380-89-0x0000000002810000-0x00000000028C2000-memory.dmp

Filesize
712KB

Download
memory/1380-88-0x00000000029F0000-0x0000000002AA2000-memory.dmp

Filesize
712KB

Download
memory/1380-87-0x00000000029F0000-0x0000000002AA2000-memory.dmp

Filesize
712KB

Download
memory/1380-66-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1780-83-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1780-85-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1780-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1780-86-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1780-76-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1780-68-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1780-73-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing