7798d420c3a5a4781ea08b4c7544e4acf2f8514d96ca98f43d816f4aa9811f97

Analysis

max time kernel
122s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17278215467604b9bc6c9098b202dc20.exe
Size

324KB
MD5

17278215467604b9bc6c9098b202dc20
SHA1

4564f8e9afb757aad0a7808313ef18ba1aa8f9e8
SHA256

7798d420c3a5a4781ea08b4c7544e4acf2f8514d96ca98f43d816f4aa9811f97
SHA512

30277e9cd76bfcb3e5016e642286a676044cb20c5688148031b44371b3d1ae474a592d5a8653d0248d61dcd0521d0cbe2664139cae5455c25ad1ddf33ed3b4e1
SSDEEP

6144:b+XCCf2w/S8selKA73IqcDjXic/Dt/Q2IBzd+L4h/7+FooStIh1:b+7f2eJVK8TAXNJIBzi4h8ooStIh1

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-0-0x0000000000C50000-0x0000000000D37000-memory.dmp	upx
behavioral1/memory/2124-10-0x0000000000C50000-0x0000000000D37000-memory.dmp	upx
behavioral1/files/0x0033000000015c6f-12.dat	upx

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2816	2124	17278215467604b9bc6c9098b202dc20.exe	28
PID 2124 wrote to memory of 2816	2124	17278215467604b9bc6c9098b202dc20.exe	28
PID 2124 wrote to memory of 2816	2124	17278215467604b9bc6c9098b202dc20.exe	28
PID 2124 wrote to memory of 2816	2124	17278215467604b9bc6c9098b202dc20.exe	28

C:\Users\Admin\AppData\Local\Temp\17278215467604b9bc6c9098b202dc20.exe
"C:\Users\Admin\AppData\Local\Temp\17278215467604b9bc6c9098b202dc20.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\255.bat
  2⤵
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\255.bat

Filesize
177B

MD5
548eb49f5cc6403216498cabec1d9831

SHA1
d997ae9f7ffb17651c29e5f543a376f6fcf885ca

SHA256
a40939a8920c99b9cc6c76a824cea42ebc496ba8f28dcdac37fd1d9e9950faac

SHA512
47572d535c48508edc76dd7b1aadd9b996f3bdc4009d1784863cc4efcd76bf66ab7e4235e9dfefd5fdea30f157aa8d522242d9ab2052f072b1182adeaf8c0ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\523423.exe

Filesize
324KB

MD5
17278215467604b9bc6c9098b202dc20

SHA1
4564f8e9afb757aad0a7808313ef18ba1aa8f9e8

SHA256
7798d420c3a5a4781ea08b4c7544e4acf2f8514d96ca98f43d816f4aa9811f97

SHA512
30277e9cd76bfcb3e5016e642286a676044cb20c5688148031b44371b3d1ae474a592d5a8653d0248d61dcd0521d0cbe2664139cae5455c25ad1ddf33ed3b4e1

Download Submit
memory/2124-0-0x0000000000C50000-0x0000000000D37000-memory.dmp

Filesize
924KB

Download
memory/2124-1-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2124-10-0x0000000000C50000-0x0000000000D37000-memory.dmp

Filesize
924KB

Download