6d244b4b672ec7aa4614c2ad51b798e164c81ad38be191f6c0800a9dc2cc9d8d

General

Target

04ce697bd2d74a29d724e59b08359606.exe
Size

154KB
MD5

04ce697bd2d74a29d724e59b08359606
SHA1

9875e1229a860ec166bfefa46be2502588a97bb3
SHA256

6d244b4b672ec7aa4614c2ad51b798e164c81ad38be191f6c0800a9dc2cc9d8d
SHA512

d0e09d263ff2e3a88c837cb40ee4f1a2d8cecb7dbc543ee7c8f88d5c4575a632fed1ebe35302aa2bf82cedd8af159d8bb35f5f58b76b3a1fe116772c23507238
SSDEEP

3072:Budy3PuJjD7aHObMQ9Y3x0nIPHSi+pzX8/zHZFzjrGRrUGq514/LQ:BkkPSD7aHOAH0IPHzU+7rkgGEC

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1968-1-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2700-6-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1968-15-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2892-85-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1968-87-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1968-154-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	04ce697bd2d74a29d724e59b08359606.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2700	1968	04ce697bd2d74a29d724e59b08359606.exe	28
PID 1968 wrote to memory of 2700	1968	04ce697bd2d74a29d724e59b08359606.exe	28
PID 1968 wrote to memory of 2700	1968	04ce697bd2d74a29d724e59b08359606.exe	28
PID 1968 wrote to memory of 2700	1968	04ce697bd2d74a29d724e59b08359606.exe	28
PID 1968 wrote to memory of 2892	1968	04ce697bd2d74a29d724e59b08359606.exe	30
PID 1968 wrote to memory of 2892	1968	04ce697bd2d74a29d724e59b08359606.exe	30
PID 1968 wrote to memory of 2892	1968	04ce697bd2d74a29d724e59b08359606.exe	30
PID 1968 wrote to memory of 2892	1968	04ce697bd2d74a29d724e59b08359606.exe	30

C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe
"C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe
  C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe
  C:\Users\Admin\AppData\Local\Temp\04ce697bd2d74a29d724e59b08359606.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C759.7D0

Filesize
596B

MD5
f92814b65d7d483f87d772839efb1ad9

SHA1
b907a400af0c93f1638cadd579e3de70c3e01f27

SHA256
75b82e4d4b0c68d5be7cf8c639eda9c7212fad7e4b1182b462355226de7f3686

SHA512
ca4ab8d277cb2c55b17d7ef628a2b2a5545e7579663166141de54a3e00b9c98fcd3e1503939e6400633c72550cd27f2413afd16782b0bc3c54e15675ee222fdc

Download Submit
C:\Users\Admin\AppData\Roaming\C759.7D0

Filesize
1KB

MD5
a34cbfc6fac9bf751d6dbf67d2437180

SHA1
6ec54c431ca8bedf49125ac20af52f48ebdd3739

SHA256
3504c1e24a0c889c623e2a4727f9906cccc84302d1019e73283d0b3303d4cbcc

SHA512
475e34b8f5daa01d21d0796a2b2842d35604c77d85a35ad0d1dfed89daff840b8b3293c59833d2acad81dc9fa198cdf44a29ecc4597b52ab785967d43deb18ac

Download Submit
C:\Users\Admin\AppData\Roaming\C759.7D0

Filesize
600B

MD5
e6787eb01557584f0bbb96f4b6977aa5

SHA1
bcd1cbb4d42f4f6839a0724bd1e1f492aa3ba790

SHA256
8b180ba2c544577068a2792208da2334f84c6ae34fdf5cde246c2a4047c7de56

SHA512
a7a0ae99470779f7f38081b473546ed4c9459935731b8bf41a593f96e3c35fb32c4093bf08e76fb853cc702fc29df6687a3aa26a4f2662e2638b2afa9238a5c7

Download Submit
C:\Users\Admin\AppData\Roaming\C759.7D0

Filesize
996B

MD5
4d1e3561f7a76d58420b7028104a8d4c

SHA1
60b86f49a81efeea0f8adb70c22681a5cd72352e

SHA256
25ddf4d29a460bf5d1fc94b03ec3fa83fc12545d4acce4fc80a22a5e57774aa9

SHA512
05e2f6940a3036cd6883005020e10eb15b1a1f7aa8ae91deff2cf0f5d945676f319e46ffff2ff63e1e69dc78f77d10360051c2568994adc12b0b0e92da3e2d04

Download Submit
memory/1968-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-2-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/1968-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-88-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2700-7-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2700-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2892-86-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2892-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads