c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1

Analysis

max time kernel
103s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 08:30

Target

c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe
Size

4.3MB
MD5

060302eb86d96eda59e36eb86e0f2350
SHA1

8e92374a50589727383d241d59cf565e628743e3
SHA256

c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1
SHA512

1f68702c21e64e1a1bd0e02fd027b3223a600665b98be8c370b5b02bf62522a1bd242eabf4e9377e1c704251c849f4f5496e43591cb5fcc55b1e16d940a9b269
SSDEEP

98304:xYPZLCzAqGift2zgqE0HJ97Lyaf7QRuPYnGcs15CI8nV11nPEB1o:xaCzPGPgqTJ97LzQRuPYTs15C5nV1Z4o

Score

7^/10

spyware stealer upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1516-133-0x0000000000650000-0x00000000014B1000-memory.dmp	upx

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.execmd.exe

description	pid	process	target process
PID 1516 wrote to memory of 2352	1516	c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe	cmd.exe
PID 1516 wrote to memory of 2352	1516	c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe	cmd.exe
PID 2352 wrote to memory of 4640	2352	cmd.exe	choice.exe
PID 2352 wrote to memory of 4640	2352	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe
"C:\Users\Admin\AppData\Local\Temp\c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2352

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/1516-133-0x0000000000650000-0x00000000014B1000-memory.dmp

Filesize
14.4MB

Download
memory/1516-134-0x0000000000650000-0x00000000014B1000-memory.dmp

Filesize
14.4MB

Download