649f13472963e2d53e74c85e57ec86559c30326bdbdb3913a92dc2d5b23e7f14

Analysis

max time kernel
172s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe
Size

192KB
MD5

0b6db8ed4dfcaeb1c0f5dbb1e35037ff
SHA1

07a347c80e1592e7747c14a180b94f4273a81171
SHA256

649f13472963e2d53e74c85e57ec86559c30326bdbdb3913a92dc2d5b23e7f14
SHA512

d8f63c08c1d4b5b3fbe9e205f78207d119c91aa7a16b6c44c7934cf448f3ebcfd41c46c368ee0ea33d91f3f35425042c56030f25161ad77a796d5fb699187158
SSDEEP

6144:HUZU5ybhYu41iU6cVNauoAw7Gh+WiZ9BZYwQSixCi/ic:HU51Yu41iUCuLThYZYw8xCiJ

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4900-1-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/804-9-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4900-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3136-117-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3136-119-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4900-121-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4900-189-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4900-192-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lvvm.exe	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 804	4900	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	92
PID 4900 wrote to memory of 804	4900	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	92
PID 4900 wrote to memory of 804	4900	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	92
PID 4900 wrote to memory of 3136	4900	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	95
PID 4900 wrote to memory of 3136	4900	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	95
PID 4900 wrote to memory of 3136	4900	0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe	95

C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe
"C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe
  C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe startC:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:804
- C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe
  C:\Users\Admin\AppData\Local\Temp\0b6db8ed4dfcaeb1c0f5dbb1e35037ff.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5889.230

Filesize
996B

MD5
efdb3979343ea18e626f66ac4ed8cf46

SHA1
99e06e56a29db069b9f4c640733c177701432274

SHA256
c9f2f21c07dcdd32fa59f2a218c9ac2c9c13c2dc167cc2be2897e26e847d763c

SHA512
a69839b2b0a8fd604418ec1e3a9791e0285d80f5371d99fab8d89faf21964d6865868d6dc8763e770906276ac0e453649846dc3dfa72b118b757b7de2d6cfff5

Download Submit
C:\Users\Admin\AppData\Roaming\5889.230

Filesize
600B

MD5
07aa3864acfc34a4a8a8a19e1a485c67

SHA1
362c4efbe5cb81407b92e89613deb02cd4af757a

SHA256
cb42a475b2494b92144c613b5a74a3d5f98e6f555dfd84f3d7da0d42f3e784d1

SHA512
9a88fb06e1a5723cc6b3e81dd7df2c4011db8f1d25a7c5bacbd7c0e92ba71669657e1f57fdc43a07115e48df3cd9380366148a8ee61ec64d2fbd72fc351e18a7

Download Submit
C:\Users\Admin\AppData\Roaming\5889.230

Filesize
1KB

MD5
76b8e6ac7cc7de162815735c2137e9b0

SHA1
af56199d409f24d939db4d1c5c4ef5748300f468

SHA256
c220f84733b2c10b37b2c36f7da699d4f5b1fb0ab890d494d798e7db9fd3e83b

SHA512
1f0a6b71b272cc158952bd42ead6480f88e5ed6bb7184d2c15ad9e1c94054ade18fb6bfd0f6483e2804b16f8503cac1d728d8ba53369b094360993337efbb208

Download Submit
memory/804-120-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/804-8-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/804-10-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/804-9-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3136-117-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3136-119-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3136-118-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/4900-1-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4900-111-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/4900-121-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4900-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4900-2-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/4900-189-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4900-192-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download