8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718

Analysis

max time kernel
56s
max time network
185s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
31-05-2023 22:17

Target

8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe
Size

4.3MB
MD5

2adfeed43feb236e8bd4bab0a862b22c
SHA1

83705a265a086a6152973abf812fb21a7a7c7510
SHA256

8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718
SHA512

d19d0dcacbff85e724dbaf80bbf66bb4e5750be7dda80cd2fe61c8d258d4cabf2ef45a57bb1c7ba84f3572f1a75aa0080627e1f97f6b43c3df88d8470bad0c90
SSDEEP

98304:VYeBBQhD3S/U0Cpz+Y8TlbuEH9abRuCEvBQh8:Vim9CoY8Tpd84CE5W8

Score

7^/10

spyware stealer upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/4156-121-0x0000000000920000-0x000000000177E000-memory.dmp	upx
behavioral2/memory/4156-122-0x0000000000920000-0x000000000177E000-memory.dmp	upx

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.execmd.exe

description	pid	process	target process
PID 4156 wrote to memory of 4140	4156	8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe	cmd.exe
PID 4156 wrote to memory of 4140	4156	8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe	cmd.exe
PID 4140 wrote to memory of 4136	4140	cmd.exe	choice.exe
PID 4140 wrote to memory of 4136	4140	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe
"C:\Users\Admin\AppData\Local\Temp\8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4140

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/4156-121-0x0000000000920000-0x000000000177E000-memory.dmp

Filesize
14.4MB

Download
memory/4156-122-0x0000000000920000-0x000000000177E000-memory.dmp

Filesize
14.4MB

Download