c4006de32ef9c5812d74c06eef9bf64eae46d93ca8be0954c8dd195b5cf333bd

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 07:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c4006de32ef9c5812d74c06eef9bf64eae46d93ca8be0954c8dd195b5cf333bd.exe
Size

556KB
MD5

ec1aea6293c298fc37fedd4d4717e251
SHA1

84ed32832624295984f16a2fd02e2dc8275cee92
SHA256

c4006de32ef9c5812d74c06eef9bf64eae46d93ca8be0954c8dd195b5cf333bd
SHA512

191414a6db5d7713ba15266d28562ad968d88147a1f9f2e91903d27702b1db9cb45672eaa2d564d46a78fdf5609a1e7bc9e07824606ba5707882d11c9eeba0e6
SSDEEP

12288:rGosTxSzpDq5VNYdyOshT5l4/86CaIhvPfNMIM1P27QwMMT6:rGosTxSEXzOV/UaIBNLMp20wMMT6

Score

8^/10

spyware stealer upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4572-132-0x0000000000400000-0x0000000000522000-memory.dmp	upx
behavioral2/memory/4572-133-0x0000000000400000-0x0000000000522000-memory.dmp	upx
behavioral2/memory/4572-134-0x0000000000400000-0x0000000000522000-memory.dmp	upx
behavioral2/memory/4572-135-0x0000000000400000-0x0000000000522000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~2\is240567593.log	c4006de32ef9c5812d74c06eef9bf64eae46d93ca8be0954c8dd195b5cf333bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4572	c4006de32ef9c5812d74c06eef9bf64eae46d93ca8be0954c8dd195b5cf333bd.exe
4572	c4006de32ef9c5812d74c06eef9bf64eae46d93ca8be0954c8dd195b5cf333bd.exe

C:\Users\Admin\AppData\Local\Temp\c4006de32ef9c5812d74c06eef9bf64eae46d93ca8be0954c8dd195b5cf333bd.exe
"C:\Users\Admin\AppData\Local\Temp\c4006de32ef9c5812d74c06eef9bf64eae46d93ca8be0954c8dd195b5cf333bd.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4572-132-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4572-133-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4572-134-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4572-135-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download