66f982c39befa47ef6e8eaf322a287fd8ff75c304b909c6c7102c01fbfc903bf

Analysis

max time kernel
7s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d5d354cd5686dd9cdf53e6ffbbdd8de.exe
Size

386KB
MD5

3d5d354cd5686dd9cdf53e6ffbbdd8de
SHA1

a5742c4005efe189bb30f2c782e0b6b8bb5ffd54
SHA256

66f982c39befa47ef6e8eaf322a287fd8ff75c304b909c6c7102c01fbfc903bf
SHA512

09e4e3688ee0742dffe74bcd1c7677dd900f59f97b4342930e7b3cb34e43b3a7e83ae9f7519f8ffd307889dacad6b0c3ffefb6bc0c359b7f36a1c369843c7ec4
SSDEEP

6144:DhJhWT3UEIA1CqzU75aDdrTPbNZAXdPRh2IQLtL2yy02V3IGcIFoSe8OIQ:DzhGqAQqzU7GrTzNZeNAl2yy9BoSZOIQ

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4660-0-0x00000000004D0000-0x000000000061F000-memory.dmp	upx
behavioral2/files/0x000700000002321c-5.dat	upx
behavioral2/memory/4660-6-0x00000000004D0000-0x000000000061F000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 3788	4660	3d5d354cd5686dd9cdf53e6ffbbdd8de.exe	94
PID 4660 wrote to memory of 3788	4660	3d5d354cd5686dd9cdf53e6ffbbdd8de.exe	94
PID 4660 wrote to memory of 3788	4660	3d5d354cd5686dd9cdf53e6ffbbdd8de.exe	94

C:\Users\Admin\AppData\Local\Temp\3d5d354cd5686dd9cdf53e6ffbbdd8de.exe
"C:\Users\Admin\AppData\Local\Temp\3d5d354cd5686dd9cdf53e6ffbbdd8de.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\0.bat
  2⤵
  PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
173B

MD5
14e5122058af1684490e3469054ff4cc

SHA1
91f3f20e979b695129fbd47c833010fa2deb088a

SHA256
824c158a7e56e8b15667a6462de25c09684bed25cc43dd52fdb4a4949b3c9db1

SHA512
c9660bde0c44407848149245ddf8c3b2d6c9bb050d580e9e58c815b790ee8105b76467dd4e40f5c158233bf7ede1cf116d3431cc124e2bbcdb4db9b23a70f405

Download Submit
C:\Users\Admin\AppData\Local\Temp\43489.exe

Filesize
20KB

MD5
0df36f49c1589e65c5fdcbf33affe56d

SHA1
3fc367dbedbd76fc217d30d8af24f2fb4650bb31

SHA256
5ab0c82108b56eee622500908b1bd7416493ad5e3650334589ef604c051a1548

SHA512
83c450f8320967484277ac40756a15f7d1c132aea6e0e5ce33847848570f5d6dcd8ce1a05354f0d52d58d08f595f7a13e5dc71fa89c26ebb05f8930c1196aeec

Download Submit
memory/4660-0-0x00000000004D0000-0x000000000061F000-memory.dmp

Filesize
1.3MB

Download
memory/4660-6-0x00000000004D0000-0x000000000061F000-memory.dmp

Filesize
1.3MB

Download