6d244b4b672ec7aa4614c2ad51b798e164c81ad38be191f6c0800a9dc2cc9d8d

General

Target

04ce697bd2d74a29d724e59b08359606.exe
Size

154KB
MD5

04ce697bd2d74a29d724e59b08359606
SHA1

9875e1229a860ec166bfefa46be2502588a97bb3
SHA256

6d244b4b672ec7aa4614c2ad51b798e164c81ad38be191f6c0800a9dc2cc9d8d
SHA512

d0e09d263ff2e3a88c837cb40ee4f1a2d8cecb7dbc543ee7c8f88d5c4575a632fed1ebe35302aa2bf82cedd8af159d8bb35f5f58b76b3a1fe116772c23507238
SSDEEP

3072:Budy3PuJjD7aHObMQ9Y3x0nIPHSi+pzX8/zHZFzjrGRrUGq514/LQ:BkkPSD7aHOAH0IPHzU+7rkgGEC

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2044-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1636-6-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1852-78-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2044-80-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2044-81-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	04ce697bd2d74a29d724e59b08359606.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1636	2044	04ce697bd2d74a29d724e59b08359606.exe	22
PID 2044 wrote to memory of 1636	2044	04ce697bd2d74a29d724e59b08359606.exe	22
PID 2044 wrote to memory of 1636	2044	04ce697bd2d74a29d724e59b08359606.exe	22
PID 2044 wrote to memory of 1636	2044	04ce697bd2d74a29d724e59b08359606.exe	22
PID 2044 wrote to memory of 1852	2044	04ce697bd2d74a29d724e59b08359606.exe	30
PID 2044 wrote to memory of 1852	2044	04ce697bd2d74a29d724e59b08359606.exe	30
PID 2044 wrote to memory of 1852	2044	04ce697bd2d74a29d724e59b08359606.exe	30
PID 2044 wrote to memory of 1852	2044	04ce697bd2d74a29d724e59b08359606.exe	30

C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe
"C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe
  C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe
  C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7DA2.FAE

Filesize
300B

MD5
88edac3c91af1501566b6cf55802a022

SHA1
cb4791b6bb357a180ac171e223faa55a84328fce

SHA256
2d2aa4caa56ece2a5d3adb6d88eac31537da7e110d12456897a431e8bc4e06e0

SHA512
343e5ca76ca1f6f22f3e08cc1f558ba73331e994f94547956e2f4f6782b4347c43e7819c0230fb8d77e6e9404c9db08dafff8672ccf1e65276353348c0425284

Download Submit
C:\Users\Admin\AppData\Roaming\7DA2.FAE

Filesize
1KB

MD5
ee94ad9a6392a0becc41a0d41df978c9

SHA1
7cb7252f342050a0fe157780aaf55a01b63ae0e4

SHA256
20f1e3b6befbf1cdfc35bd017715a4f97eedd2645a956be37b34d20276b00a47

SHA512
ba10fc074e6ad29046ba4dcd1242c6d9d3fbd42cf01362c9afaefba30eb9730d14be1c5da50278a7224677004c4cf51860b52d6748289209c5c1f924ef58af5d

Download Submit
C:\Users\Admin\AppData\Roaming\7DA2.FAE

Filesize
600B

MD5
c40ed962ddeb317260843f0c09db7ef2

SHA1
db2dc28868812ca096a688acc5711c713d32edf1

SHA256
36d72202d6b0b687d775fd9e9479b5bfd7014ab74a6ab321d363cc014e88c3db

SHA512
46de11c31734eae0d064b9d418858efa7111b0b17d72f6a175c0001fb631319c9852bfbfde890184863795c435dfc4219de97e96b6648e0492fd7c43dc744d9a

Download Submit
C:\Users\Admin\AppData\Roaming\7DA2.FAE

Filesize
996B

MD5
a586ce12ac9f0160cb87b0519eae0bf0

SHA1
e6065e81c3321dcd57b4335761f38c5f93149bfe

SHA256
03963f54a00f17d5b1b99eee40c4153fbe755572fda937dafb29d47e2b5a42c3

SHA512
ca7fb87f3747a22990a9d86ae584869d4deb3557c830d72c6a2fe2f70b9b5bfe9e65e1c47060512c813523c3dfffe1ee836db34ba17910120da94631998ce3b2

Download Submit
memory/1636-7-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/1636-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1636-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1636-142-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/1852-79-0x0000000000602000-0x000000000061C000-memory.dmp

Filesize
104KB

Download
memory/1852-78-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-82-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2044-3-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads