2696e9166a0715e548a1e3ac10fadc7199f5c62adb1c898116608a37b7ce97e2

Analysis

max time kernel
80s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2023 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.3MB
MD5

2dad0921a07acf1fed274d1120a0b8ce
SHA1

c4f3265e4355c86c1efb5f4ea839e8f1ba9b6450
SHA256

2696e9166a0715e548a1e3ac10fadc7199f5c62adb1c898116608a37b7ce97e2
SHA512

98b56d61d7fe94a065ab6ba2566c186dc251bb5e71737e61009b06307ced6f01a8ca4b4fafdc9a3d952f2566387e8b4c55fad7ec5de3eee1480048313b3cc4d4
SSDEEP

98304:oZIqu1kdVw0A/4G0kk9n/o0W0HaKVbAoRRcDnktWyFgdVO:EVu117/4Grk9/o0T6KVbHROD2FI

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3732-133-0x00000000002B0000-0x000000000110F000-memory.dmp	upx
behavioral2/memory/3732-134-0x00000000002B0000-0x000000000110F000-memory.dmp	upx

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 4408	3732	tmp.exe	86
PID 3732 wrote to memory of 4408	3732	tmp.exe	86
PID 4408 wrote to memory of 4736	4408	cmd.exe	88
PID 4408 wrote to memory of 4736	4408	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\tmp.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 0
    3⤵
    PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3732-133-0x00000000002B0000-0x000000000110F000-memory.dmp

Filesize
14.4MB

Download
memory/3732-134-0x00000000002B0000-0x000000000110F000-memory.dmp

Filesize
14.4MB

Download