cdabc97117d4d6e6cf35a9c8f1df5ddb3ee0df4958970c83539ba7708bd06b91

General

Target

0d64b0b3dde7e36e5eba175718e39336.exe
Size

163KB
MD5

0d64b0b3dde7e36e5eba175718e39336
SHA1

94d4b1757e8389ca2dff351926402b551ff77ae8
SHA256

cdabc97117d4d6e6cf35a9c8f1df5ddb3ee0df4958970c83539ba7708bd06b91
SHA512

64ccbc010d26223f5c982610db85165d8f029f8895ede90fd503be3d649e4d8fe5faee112930884bd3b7472156f6e7ed7222d320bf71ef06d52da908efd42b39
SSDEEP

3072:PK+mttcAwwcitz9xCplVXopwppny/npY/QsJiwUSCZzi3QuX6:PK+StXlcM9xCFopwpDYXPZzu

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2460-1-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2460-4-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2668-9-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2668-11-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2460-16-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2580-83-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2460-85-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2460-155-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2460-156-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2460-159-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2460-190-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2460-193-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	0d64b0b3dde7e36e5eba175718e39336.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2668	2460	0d64b0b3dde7e36e5eba175718e39336.exe	28
PID 2460 wrote to memory of 2668	2460	0d64b0b3dde7e36e5eba175718e39336.exe	28
PID 2460 wrote to memory of 2668	2460	0d64b0b3dde7e36e5eba175718e39336.exe	28
PID 2460 wrote to memory of 2668	2460	0d64b0b3dde7e36e5eba175718e39336.exe	28
PID 2460 wrote to memory of 2580	2460	0d64b0b3dde7e36e5eba175718e39336.exe	30
PID 2460 wrote to memory of 2580	2460	0d64b0b3dde7e36e5eba175718e39336.exe	30
PID 2460 wrote to memory of 2580	2460	0d64b0b3dde7e36e5eba175718e39336.exe	30
PID 2460 wrote to memory of 2580	2460	0d64b0b3dde7e36e5eba175718e39336.exe	30

C:\Users\Admin\AppData\Local\Temp\0d64b0b3dde7e36e5eba175718e39336.exe
"C:\Users\Admin\AppData\Local\Temp\0d64b0b3dde7e36e5eba175718e39336.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\0d64b0b3dde7e36e5eba175718e39336.exe
  C:\Users\Admin\AppData\Local\Temp\0d64b0b3dde7e36e5eba175718e39336.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\0d64b0b3dde7e36e5eba175718e39336.exe
  C:\Users\Admin\AppData\Local\Temp\0d64b0b3dde7e36e5eba175718e39336.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4F2A.78E

Filesize
1KB

MD5
eb786547192afe20682d2d7724dd9b06

SHA1
c4c9be87004e547aa8c96b983b3e04ecef8e67f6

SHA256
0da1b5485e25d1a6cd2692c80e8073bcbcbaf266037df1ef6ed821f77eab0f76

SHA512
4d740f70334c7c63c1f978159015718bc2314f3db0311d6e3739f1d73c962fd411daebc97c85e53c2fc3470dffa1200db3a4295bca281c89c508bec353c2658d

Download Submit
C:\Users\Admin\AppData\Roaming\4F2A.78E

Filesize
600B

MD5
3d526532c523c237f4195f9a23481e20

SHA1
2545e150c8e2416b8e7b52a65916ac3e3d4bd9fa

SHA256
cd7607ee45e77449888ca4c2b48aae7b53b6341c4d4dd99029de55d45872c28d

SHA512
85fec8ab47e0a78785b7d7a05dcb464b9da1689b43ce71a6db8a1dca2a1674dbccca2cfdcfaadc4731e53205f5f80b3cd095e5b2b4bae0dcc47adee7f00346a3

Download Submit
C:\Users\Admin\AppData\Roaming\4F2A.78E

Filesize
996B

MD5
6a5b93f27fe5802fc9d7b2e3d27044f1

SHA1
f7ef7f1b55c558a4138a4789554a5ecc5d25c1de

SHA256
113fecd4144bdaac9ffa15c3dfb381665a208508d2c044725da99a9b789bda56

SHA512
635bd8f009d976ef5a344b21ea7ccbfa2e45ec9c69857be7668d3b82463f1fb87e4dd459096ab20a0229c1608d2ba2f13b20836b5b7ef6ffd71e2502c1768c54

Download Submit
memory/2460-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-155-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-156-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-17-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/2460-2-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/2460-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-84-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2580-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-10-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/2668-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads