649f13472963e2d53e74c85e57ec86559c30326bdbdb3913a92dc2d5b23e7f14

General

Target

0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe
Size

192KB
MD5

0b6db8ed4dfcaeb1c0f5dbb1e35037ff
SHA1

07a347c80e1592e7747c14a180b94f4273a81171
SHA256

649f13472963e2d53e74c85e57ec86559c30326bdbdb3913a92dc2d5b23e7f14
SHA512

d8f63c08c1d4b5b3fbe9e205f78207d119c91aa7a16b6c44c7934cf448f3ebcfd41c46c368ee0ea33d91f3f35425042c56030f25161ad77a796d5fb699187158
SSDEEP

6144:HUZU5ybhYu41iU6cVNauoAw7Gh+WiZ9BZYwQSixCi/ic:HU51Yu41iUCuLThYZYw8xCiJ

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-1-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2248-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2248-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3012-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2624-81-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3012-83-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3012-84-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3012-162-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3012-198-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lvvm.exe	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2248	3012	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	29
PID 3012 wrote to memory of 2248	3012	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	29
PID 3012 wrote to memory of 2248	3012	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	29
PID 3012 wrote to memory of 2248	3012	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	29
PID 3012 wrote to memory of 2624	3012	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	30
PID 3012 wrote to memory of 2624	3012	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	30
PID 3012 wrote to memory of 2624	3012	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	30
PID 3012 wrote to memory of 2624	3012	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	30

C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe
"C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe
  C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe startC:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe
  C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8495.B0E

Filesize
1KB

MD5
2f9908f3de11d969a7a575db8fc2e919

SHA1
09dfcb69e6dae059797b93143293b7712843e36b

SHA256
0d8d1218b494e554058e3b2326f2c71fe8267405ea0457a4b0eeb7e43d0bcad7

SHA512
7df7b80d9590e2fd8fac62c7c36d8896bf43a40b21f60885b0a9ee08f79af87c5ecbcb2ee07e94d40a32ad033aa949bbf60a3741cde43184c5f6180f2a028172

Download Submit
C:\Users\Admin\AppData\Roaming\8495.B0E

Filesize
600B

MD5
3549de3a8406ba7f50e6474c105cd4ef

SHA1
d16b482d37d3818096d4b151be0fa17de3ee1f41

SHA256
ce81cc01d405e518c97af0f3ff5ca43873ae6bc90aed0e256b2521762dd2322b

SHA512
0fbd3707c717172fbf3be76861d81f3b14b88c6cd7d3eba3c1ea0515f3bf94846d109a9cea4f1a19e9448cc97650715e2700615f1017dcf640388ca572e2f4be

Download Submit
C:\Users\Admin\AppData\Roaming\8495.B0E

Filesize
996B

MD5
eb982ab095dc4fc3589bea3810d15b99

SHA1
bfe797420dfbbfba7b61a87738ea7dc828cac11c

SHA256
9398211e7b375ba3a1afc43d2c79116e2cb2152ae8f2819ff9ada925d89a7f9e

SHA512
f9b3de0ebef4023b844c65243cd2e94c3abd59c8d9d695ec5abebf7b815b5d76efd6c66db7ab7a1cbaef60285802804ac52948f564c31e6b181290996898b7fb

Download Submit
memory/2248-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2248-14-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2248-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2248-86-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2624-81-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2624-82-0x0000000000538000-0x0000000000553000-memory.dmp

Filesize
108KB

Download
memory/3012-1-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3012-83-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3012-84-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3012-85-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/3012-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3012-2-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/3012-162-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3012-198-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing