e5097c807efcf6c09b2f26223dcbdb53516dedb40b40305b3a88efb0d63f644d

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f0ac445c0b5a66214a96cabb1526f86.exe
Size

174KB
MD5

7f0ac445c0b5a66214a96cabb1526f86
SHA1

14a760078a8a8a94e9c0c018a910d04a08c137fb
SHA256

e5097c807efcf6c09b2f26223dcbdb53516dedb40b40305b3a88efb0d63f644d
SHA512

3aad8719f831eeb4175b09434bd2223a88515aa3ff177a9994a243863d168b135e0e469184c40718cb29f7f7de87fd90a20ec156bb359e1d31347a2765976d7a
SSDEEP

3072:C79fIZzTalm7A5Qax8Y/2XUK0o3yje6cceHuVdR4dJ9cz7uNYD17bILf:C7JRQU+YkUpo3yS6cZOt4dJ9cz78YD1o

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2196-1-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2192-7-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2196-79-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2080-81-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2196-83-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2192	2196	7f0ac445c0b5a66214a96cabb1526f86.exe	17
PID 2196 wrote to memory of 2192	2196	7f0ac445c0b5a66214a96cabb1526f86.exe	17
PID 2196 wrote to memory of 2192	2196	7f0ac445c0b5a66214a96cabb1526f86.exe	17
PID 2196 wrote to memory of 2192	2196	7f0ac445c0b5a66214a96cabb1526f86.exe	17
PID 2196 wrote to memory of 2080	2196	7f0ac445c0b5a66214a96cabb1526f86.exe	30
PID 2196 wrote to memory of 2080	2196	7f0ac445c0b5a66214a96cabb1526f86.exe	30
PID 2196 wrote to memory of 2080	2196	7f0ac445c0b5a66214a96cabb1526f86.exe	30
PID 2196 wrote to memory of 2080	2196	7f0ac445c0b5a66214a96cabb1526f86.exe	30

C:\Users\Admin\AppData\Local\Temp\7f0ac445c0b5a66214a96cabb1526f86.exe
"C:\Users\Admin\AppData\Local\Temp\7f0ac445c0b5a66214a96cabb1526f86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\7f0ac445c0b5a66214a96cabb1526f86.exe
  C:\Users\Admin\AppData\Local\Temp\7f0ac445c0b5a66214a96cabb1526f86.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\7f0ac445c0b5a66214a96cabb1526f86.exe
  C:\Users\Admin\AppData\Local\Temp\7f0ac445c0b5a66214a96cabb1526f86.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5D42.F2D

Filesize
1KB

MD5
296fde40196b34d541bf45a96bbd7a01

SHA1
c54c3811be448f6b4e0ad64b51d37b7bb39ce8b0

SHA256
67f0112e7c8be306357c01a1ebae905eec87b701f43d9a8b3e5c976f7799abc3

SHA512
b42dba1ad1ac7ac582cbea123307462fbe4d589f43967f339eeb4207406f4174432abf0cb2ac7c6b786d42419464a86aa7a867adb6dd682c930c7c01c34791e4

Download Submit
C:\Users\Admin\AppData\Roaming\5D42.F2D

Filesize
897B

MD5
fddb6677c420336f7bbd05f92c05daee

SHA1
6816013fc4890465a34e65727c81a0e8a7d8b90e

SHA256
2e4c347486ae2b25bd79d3a80c5a2d5e54ecd8ed8d83158eeae2bf51d1cd8832

SHA512
3ba7d1e13e72690a736e0fc6a25a3487ab9269aa2f477f2e114373815f4887e4561ff7a55a4dcf1db434cfd3fe9fc59d6e911769bee500f8994580bef025ce35

Download Submit
C:\Users\Admin\AppData\Roaming\5D42.F2D

Filesize
1KB

MD5
353c549241a15fccc23ae3a311165955

SHA1
6c7c5954ac83e8c6220a8012b7e11b24a0ba7fcd

SHA256
cc50e8d2e13815ebc9301baaf7e05c982bb2e83237eb0eabb9a3219d242ac8e7

SHA512
fa4ca6ad3c28db19f21e84d0c55f7e299382e2812a450ed3206364c523c2eda7952e8571234fdfcfb44fad191e0ecb0fe97d514cedb9939122da63cee876ed1f

Download Submit
memory/2080-82-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2080-81-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2192-8-0x0000000000532000-0x000000000054E000-memory.dmp

Filesize
112KB

Download
memory/2192-7-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2196-79-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2196-83-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2196-84-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2196-2-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2196-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download