e8d7eb1532d41c0b920a8c3d01bff63f23619c4e04a80de22ba27f7b18437fb8

General

Target

1433214838524ccdac23a9139c169cdd.exe
Size

156KB
MD5

1433214838524ccdac23a9139c169cdd
SHA1

7831f5c8e05d233f29456a48d8690c7e49f77f23
SHA256

e8d7eb1532d41c0b920a8c3d01bff63f23619c4e04a80de22ba27f7b18437fb8
SHA512

2ccc394896f398e5ff111591428ec1ec74352094e3933895deeacb651c1960a71b8ffbcac2ec072bb3a5887b4a4328ecdac63f0e6f69b71cc4a26cdffa3f5284
SSDEEP

3072:GLXTYjj9L4obnXm/j/Dq03eYeUB1GQE3pxBnAsudd639SvO3t5:WX8aaXm/7Dq2pBjE3pzwdsaOH

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1896-1-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2676-7-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2676-8-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1896-20-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2432-82-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1896-84-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2676-144-0x0000000000500000-0x0000000000600000-memory.dmp	upx
behavioral1/memory/1896-187-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1896-190-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1896-196-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	1433214838524ccdac23a9139c169cdd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2676	1896	1433214838524ccdac23a9139c169cdd.exe	28
PID 1896 wrote to memory of 2676	1896	1433214838524ccdac23a9139c169cdd.exe	28
PID 1896 wrote to memory of 2676	1896	1433214838524ccdac23a9139c169cdd.exe	28
PID 1896 wrote to memory of 2676	1896	1433214838524ccdac23a9139c169cdd.exe	28
PID 1896 wrote to memory of 2432	1896	1433214838524ccdac23a9139c169cdd.exe	30
PID 1896 wrote to memory of 2432	1896	1433214838524ccdac23a9139c169cdd.exe	30
PID 1896 wrote to memory of 2432	1896	1433214838524ccdac23a9139c169cdd.exe	30
PID 1896 wrote to memory of 2432	1896	1433214838524ccdac23a9139c169cdd.exe	30

C:\Users\Admin\AppData\Local\Temp\1433214838524ccdac23a9139c169cdd.exe
"C:\Users\Admin\AppData\Local\Temp\1433214838524ccdac23a9139c169cdd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\1433214838524ccdac23a9139c169cdd.exe
  C:\Users\Admin\AppData\Local\Temp\1433214838524ccdac23a9139c169cdd.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\1433214838524ccdac23a9139c169cdd.exe
  C:\Users\Admin\AppData\Local\Temp\1433214838524ccdac23a9139c169cdd.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6D29.079

Filesize
297B

MD5
391a2842117881efb91731c1c45cf493

SHA1
c829cd607f96f8f852d468c9441467028d542859

SHA256
683e08b405ad9e70ef4552b141309c3a927e1f403b7f222f8e93b25d88c56347

SHA512
8de0b711c77bb2e0626c4cbe8ab9e8ee5a2d03f198367c7a316f13718e4c8b1cf6c6a3089e940ee4f9ca2470e996df88bdcf088cead4f1ed186e7e580be5fa34

Download Submit
C:\Users\Admin\AppData\Roaming\6D29.079

Filesize
1KB

MD5
5cecfe70a8f25a051bb3db9a5d218275

SHA1
6274a06f88730edce1c405c0b13c16e68e004e26

SHA256
4131ec8c725d2a61f936e4d0daa064c4b6b2b2877a806b2421bc99ffcb48106d

SHA512
05b82ca84a2a02d6e7b9d29179c05fb2589451ec413c72e53941f90cc1162569b02f6d14223f1bd2d198ba3dc797f6486df5b2816cc527773f180c48ee9d2359

Download Submit
C:\Users\Admin\AppData\Roaming\6D29.079

Filesize
897B

MD5
943e4841bb13a44b0e74462cc47c47a7

SHA1
2b36df30ad4316f45f890676c37aa1787edfc325

SHA256
57a782cb878e62e6db15d6dc7c66ad9592bb476ce81024e3f43c742b6fd90ae4

SHA512
9ecc8bdc09bc8bca7b0e31e77bfa57eecabd2ac8f8268dd9a127067b1efe3b3259d4633d98174297cfc19c77596051fbf9b6417ffea7ab700d562fcfd475dc82

Download Submit
C:\Users\Admin\AppData\Roaming\6D29.079

Filesize
1KB

MD5
25227bdc3d0f9d3864c3ed63c8b6affe

SHA1
6a42102f27ad0614522432ec5013d31ff11fed97

SHA256
18a8ae17e4cfa7ce8774b0dab67996f2d78520319cccf27bbddfb013714ac27a

SHA512
6208e2e2741ce785d4d5046cf0662e6e0cd13b1f89289c5fe49529f26b242a2e6ef02c0a6266d2438103dd2b724d1018260b2b20afd63051283f8772c7b221b3

Download Submit
memory/1896-85-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1896-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-190-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-187-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-2-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1896-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-83-0x00000000005B5000-0x00000000005D0000-memory.dmp

Filesize
108KB

Download
memory/2432-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-144-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2676-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-9-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads