e00783f017f220bf51e813b5b4963026321f437d3a90c49240e0336e49555b14

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d8f370ffe3234543311a48c72fc6c22.exe
Size

548KB
MD5

0d8f370ffe3234543311a48c72fc6c22
SHA1

cb80f5ac922e4c9a7f2603a7aaf6f5bd3e37821c
SHA256

e00783f017f220bf51e813b5b4963026321f437d3a90c49240e0336e49555b14
SHA512

d4cd55f85f1eea4e56f2d3168f7f9a90668353dd1ac12ef4e9a13a7da366fe545d836f73d33dcc6af9649ea665303becf734fc3f60339a53f437ab530002fcbe
SSDEEP

12288:+xX++BwqGOf7rqk9bebGr0ur+QRGaQGvOS4iC0Xi1tGTgQvzPMEMMyr:+9+tsfd9bEGr77YXEm0OtrQvzUEMMyr

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2340-0-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-2-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-1-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-94-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-100-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1008-101-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1008-102-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1008-104-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1008-110-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-169-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-170-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-171-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-172-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-173-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-174-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-176-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-177-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-178-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-179-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2340-180-0x0000000000400000-0x000000000051C000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~2\is240640984.log	0d8f370ffe3234543311a48c72fc6c22.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2340	0d8f370ffe3234543311a48c72fc6c22.exe
2340	0d8f370ffe3234543311a48c72fc6c22.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1008	2340	0d8f370ffe3234543311a48c72fc6c22.exe	91
PID 2340 wrote to memory of 1008	2340	0d8f370ffe3234543311a48c72fc6c22.exe	91
PID 2340 wrote to memory of 1008	2340	0d8f370ffe3234543311a48c72fc6c22.exe	91

C:\Users\Admin\AppData\Local\Temp\0d8f370ffe3234543311a48c72fc6c22.exe
"C:\Users\Admin\AppData\Local\Temp\0d8f370ffe3234543311a48c72fc6c22.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\0d8f370ffe3234543311a48c72fc6c22.exe
  "C:\Users\Admin\AppData\Local\Temp\0d8f370ffe3234543311a48c72fc6c22.exe" /_ShowProgress
  2⤵
  PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ish240609578\bootstrap_59371.html

Filesize
156B

MD5
1ea9e5b417811379e874ad4870d5c51a

SHA1
a4bd01f828454f3619a815dbe5423b181ec4051c

SHA256
f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a

SHA512
965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\css\sdk-ui\browse.css

Filesize
318B

MD5
10c359bc980927bb66b215407ece3e66

SHA1
4a2fc034bf7b4e84d832b6bbd9413d2055b9ec62

SHA256
5b12769a75d1c755a284a73e1b8422f73d6223c23b72e5bce698c17f50185aa8

SHA512
ed707c6bbf5023aa147571d9d186e8348b11da6fb462de69e4135480f2e10081c416c80745411752797401660221e2040e624b5a6d3e1a57ba59cdcc009eb16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\css\sdk-ui\checkbox.css

Filesize
190B

MD5
64773c6b0e3413c81aebc46cce8c9318

SHA1
50f84ef8331341b48981af82313b146863eba526

SHA256
b09504c1bf0486d3ec46500592b178a3a6c39284672af8815c3687cc3d29560d

SHA512
03e96bef74c0b3a31124c3d3c1bb78af1053a8719ca373c6b9316d63bac9545c1f4ecc2d747eb64341d8da31bc0f23da094e19c3e07ed46f65c28dc88e13bd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\css\sdk-ui\progress-bar.css

Filesize
501B

MD5
5ccd1d0dc39bb6ae4cd6b58f0b310eb0

SHA1
da659b6a37b18c26a8f7342f93c03fe649ab6344

SHA256
65246150423f8ef670f831b5a2ce1e924adc90e3bfbcce41e9fedbd1df8d27ff

SHA512
02f8eca06c0b8e69268c6aa1487ecf3a9024bce9ce757f2ac1b961df421d9121762f5f5abd5d00228f3a7416b2f21adb3a675114b32263b02fdfee9e0bd48781

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\images\Bg.jpg

Filesize
13KB

MD5
7979c0c1720c8020cd6b2c4c439c8dc1

SHA1
61848c9ffa2cc889cf7053340f8f1f6e2493a2fb

SHA256
8e95caad4d58b89dc56bc0b01d116e440606f5bb84d0b6c65b9f4ed9d236e183

SHA512
21591737e83b409bc41b8851abba6ef429bf2f836d34b5807420a223c5676c2009e79eb0b2cf1c698c5900613fe3643bae6667385264e120c853055ad7ad641b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\images\Software.png

Filesize
29KB

MD5
037277cc7c83e5ce275dbcd95f6b44ea

SHA1
2e0e2dcc43580f4e02676401247937a84eb4428a

SHA256
7231dd694f3e5c3ee42eb52164ff09bb631482d0606a240bcdfc4f501ccace06

SHA512
26d60b0ba537698fa9ef1f1e41e6b41207308caffd5f1a32946fa9631ecbc1d73fd8983f64aa5da7f35421c29d4208e04c14091f724dd45e79e131d77104ee4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\images\back-button.png

Filesize
1KB

MD5
c5d63a3d40ff748895cf763749e8b931

SHA1
b3b4248e492727690c2adc7306a8ea0cd675b2ef

SHA256
226abf53c68832d2f353baf5f6c4b22464571cf247e4b811b9e736a0712250e1

SHA512
57a8d996b853b0b756840079f47b10c0a5f56cd6ad330dfd82e8609e4f10cea26a7934e1635cf0db0ca4801600b6b25f71f443f4158a8b77c08b3cd75fe25774

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\images\close_button.png

Filesize
1KB

MD5
77804bd31b703f61b2c3de518cd25d38

SHA1
b9968e5cb49d8607eca39d1bb77dd6c7ec78ed0b

SHA256
ded6fa33bf68caa6e168dc52ad9665fc3045e4d78f4ae4025f4232d6ec3628c6

SHA512
fd1e64e5cedd50a68ce264c5c67e5d69189c56a49c5f1e47dfc7edd33b11115412b4ba9bdff0ea853221f2b8331e4326ad0196731b8fbddc9cb8df98c3dce8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\images\finish-button.png

Filesize
1KB

MD5
bde927ddfe21e4acbe1331b93b019883

SHA1
1f7d30c90a8f07917ec043a11f29028949fb7fd9

SHA256
54517f639ff9017fd8c8805151e52c7fff17240c84e7b02d6d63cf468b2043a2

SHA512
773c2aac75dd68f7f34185e9ef0d1b6e2bff2e720800339bfd223fe79f6dd96852cd5863a22c1f67903d69564594bd0709fcb0554967cf01c23a99ec007d2d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\images\icon.png

Filesize
6KB

MD5
de79607318368d7d82fefaef312c6fea

SHA1
6b6f07d0cebe9eb54d0a125f83ec52533ccaea8b

SHA256
be8ae8078450d28c47580f1a04ade46e1eb2b6fb8344c5e97ab739f1d9e97e42

SHA512
f9d974dbb5dc55920dae6314633fe14930d35fd7ae41f2e0ddb33d3833d9f362bf15545825c5019bcb9e24c53160256934289c9fbad5c6034bfa11d8c773b0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\images\loader.gif

Filesize
21KB

MD5
360281e85620142c3329848262da263d

SHA1
032ae1e422af859d78d172e918573fb0f55318de

SHA256
6c7d0d5402ebcf34cb6280473b4dac5966aae2a4bdadf80c796245663e2d9b55

SHA512
48ea37754839abce73898d29c6cb1ede20ac980dcd0b8c0f1274a690ea0bb44659129aba7581bd473ab7a735b7b9d08d6d041973bced4fe3fc0b70b3a73ec2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\images\next-button.png

Filesize
1KB

MD5
480bc7cc2b6e44d314da14ce58fc8681

SHA1
50611ec8622ee27aa65b53005e89bb705c3f4aa6

SHA256
614e34e75b472829cd43fb6be97327ef86c3fc7247d0a4044fae7ecb152efddf

SHA512
97236ee3797fe5815a736293798c968cce6b8197748cb5e64f3c81fbd6b8846ed90ce925ceababb3c0213144173b94ef27de0ecb80a706e8d093046bdad49a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609578\images\skip-button.png

Filesize
1KB

MD5
db6ed921d71eb71d0f2e472655163128

SHA1
fd05f5b1d3f7c22d2e552e5710a87c8377df5e9d

SHA256
1499b6c109c092920c6f19b4a213d7d35771d4410c7df2fe4d23ecbe5e257450

SHA512
cc46822bd1fb16dd9254fb6c9d5df23d30ee1a8fa0ec6954812ae0136a6f4cca7f78044fa5b0ffd87896a44c92aaa7520db4b0164cf2c7828abd3140c21ab866

Download Submit
memory/1008-104-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1008-101-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1008-105-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1008-110-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1008-102-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-168-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2340-171-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-94-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-3-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2340-1-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-2-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-0-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-169-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-170-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-100-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-172-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-173-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-174-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-176-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-177-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-178-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-179-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-180-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download