27b2f4ec35217caf6505fbfa81c79fe668697a7e493a55c8103697870731c3e0

General

Target

feb37c4bb526890ba86b1a17b09757d6.exe
Size

164KB
MD5

feb37c4bb526890ba86b1a17b09757d6
SHA1

8a41bd9ef7a73d1ededb98a7bb391086d1320c8b
SHA256

27b2f4ec35217caf6505fbfa81c79fe668697a7e493a55c8103697870731c3e0
SHA512

68f0aea963e7f02a6183b8e186164ea44c03001f1ef734d3d809f6e56957f4f9bcd0d167b0776125833f6b4479ddc56a6ae5ef44f5e0a1d8c22ce77bf3b6b677
SSDEEP

3072:CqLnX1AnPxQrKMN/X7xqTuDHuR0OmW3te+WwjL11Vbqioyk7QSCf:FLnCJEK4/NOuDHuiOmW8+WwjLfVeRxQF

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1476-1-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1476-4-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1472-9-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1472-14-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1476-15-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1968-89-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1968-88-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1476-91-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1476-155-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1476-192-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	feb37c4bb526890ba86b1a17b09757d6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1472	1476	feb37c4bb526890ba86b1a17b09757d6.exe	28
PID 1476 wrote to memory of 1472	1476	feb37c4bb526890ba86b1a17b09757d6.exe	28
PID 1476 wrote to memory of 1472	1476	feb37c4bb526890ba86b1a17b09757d6.exe	28
PID 1476 wrote to memory of 1472	1476	feb37c4bb526890ba86b1a17b09757d6.exe	28
PID 1476 wrote to memory of 1968	1476	feb37c4bb526890ba86b1a17b09757d6.exe	30
PID 1476 wrote to memory of 1968	1476	feb37c4bb526890ba86b1a17b09757d6.exe	30
PID 1476 wrote to memory of 1968	1476	feb37c4bb526890ba86b1a17b09757d6.exe	30
PID 1476 wrote to memory of 1968	1476	feb37c4bb526890ba86b1a17b09757d6.exe	30

C:\Users\Admin\AppData\Local\Temp\feb37c4bb526890ba86b1a17b09757d6.exe
"C:\Users\Admin\AppData\Local\Temp\feb37c4bb526890ba86b1a17b09757d6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\feb37c4bb526890ba86b1a17b09757d6.exe
  C:\Users\Admin\AppData\Local\Temp\feb37c4bb526890ba86b1a17b09757d6.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1472
- C:\Users\Admin\AppData\Local\Temp\feb37c4bb526890ba86b1a17b09757d6.exe
  C:\Users\Admin\AppData\Local\Temp\feb37c4bb526890ba86b1a17b09757d6.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E80A.44B

Filesize
996B

MD5
94f9d27f64c83a4034a5edf1d6623248

SHA1
ea18a0359b5008e56c2a94d11218e51efbec415a

SHA256
82e39f379b0c10b14dd512b30a1c70f71a3336035d828cff1bcac81be4254e0f

SHA512
1c8e1e1d8cd61759350c733795ccedf47bb878cfb2ef68de6b12f3e4203eae9776b03deb6699e9c8771666c196674ba58f44da7d1a102e13fd1a5fe3a58f406b

Download Submit
C:\Users\Admin\AppData\Roaming\E80A.44B

Filesize
1KB

MD5
6cfc98954af5880a35ee92bc130942bc

SHA1
d81bf7ea61f9cf2cc9ba0be242ba67cb6684bf4f

SHA256
877f87b88f4952f165d7d29805c6fd764d5e0ef376246fa39eab1eada08f8791

SHA512
5fa4d3b1eb80eb4a8d7347ecb9fa7da976fc6a4811436b9eaa4a989679504ab7b651a7cf14bd5ada1e4b07aedf114fe0fea8050127656ff72c8f63508d048826

Download Submit
C:\Users\Admin\AppData\Roaming\E80A.44B

Filesize
1KB

MD5
85fd41226708f08a12dbdb437dc0064f

SHA1
aba886fa3a1dbce086934431fea535fca3f940d1

SHA256
917b7b3dd3500b8da4bb922032e4fd68403d497c1e0259301f7643139bca65e0

SHA512
a653dceb74fca0e302c8f8402fc558aac06cac1b6106211b62ff9ad9cee05ebeb8ea7485c922f0f030b89c0410eadea8af336e732963cd0d521250589668e41a

Download Submit
C:\Users\Admin\AppData\Roaming\E80A.44B

Filesize
300B

MD5
a7b3ca6422602d3293f32535dbd7b291

SHA1
9a13be8be515d3fcb78b42b4832b0c80b69239ac

SHA256
029a64c74e87b46d75a570aa958d9e158846166940400e50c47e935ace66f5b4

SHA512
4a0dce2b6e92a2372aa98857284541f30bd49257459d31c547b1ce5a4d8e56cf5614939e22f0c019ca515316b5126c62277c118b8a30feabfb82b13c0b5d3b06

Download Submit
C:\Users\Admin\AppData\Roaming\E80A.44B

Filesize
600B

MD5
237e2de23da654f41477ce8e5a33f9f1

SHA1
725af8cf55436dcd93fa10472c4ef8148866c9d2

SHA256
e89aaeb7ab45ca9672cedbacf575f6069c3ab051a74838d75abf036e822eff95

SHA512
8c1cf399ef2c606a0a4a750b1d5f428895f219ace7019c5082ecc118e46409a415904daf000a79df17c9b1faccc690698261b199e25b2ec57a67e6c7cb556e78

Download Submit
memory/1472-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1472-10-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1472-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1476-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1476-2-0x0000000000890000-0x0000000000990000-memory.dmp

Filesize
1024KB

Download
memory/1476-91-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1476-6-0x0000000000890000-0x0000000000990000-memory.dmp

Filesize
1024KB

Download
memory/1476-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1476-155-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1476-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1476-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-90-0x0000000000665000-0x000000000067F000-memory.dmp

Filesize
104KB

Download
memory/1968-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads