8633a1bfdf74eb5dd172354ba64f21267fbc8ee80592270714808358276e1c62

General

Target

1ba4ce14a4b79c157cecb9c1f4f0eb78.exe
Size

161KB
MD5

1ba4ce14a4b79c157cecb9c1f4f0eb78
SHA1

87c857acef38c9cc79484c06e401cb7031fc6241
SHA256

8633a1bfdf74eb5dd172354ba64f21267fbc8ee80592270714808358276e1c62
SHA512

421a22bb986840ee3f98a74bb7abc61a7f695926ec481619e1788845b1395b7371d12d23ca204e99e0839062f04f0355ca3b95c5f4b448eb015b9884022bd554
SSDEEP

3072:owpq/0zyNk6Et4/rRZtkjzbXGMcU62IiuJJtsQ5:rthidOG/UmiyJt

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2996-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1248-5-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1248-7-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2996-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2636-86-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2996-87-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2996-179-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	1ba4ce14a4b79c157cecb9c1f4f0eb78.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1248	2996	1ba4ce14a4b79c157cecb9c1f4f0eb78.exe	28
PID 2996 wrote to memory of 1248	2996	1ba4ce14a4b79c157cecb9c1f4f0eb78.exe	28
PID 2996 wrote to memory of 1248	2996	1ba4ce14a4b79c157cecb9c1f4f0eb78.exe	28
PID 2996 wrote to memory of 1248	2996	1ba4ce14a4b79c157cecb9c1f4f0eb78.exe	28
PID 2996 wrote to memory of 2636	2996	1ba4ce14a4b79c157cecb9c1f4f0eb78.exe	30
PID 2996 wrote to memory of 2636	2996	1ba4ce14a4b79c157cecb9c1f4f0eb78.exe	30
PID 2996 wrote to memory of 2636	2996	1ba4ce14a4b79c157cecb9c1f4f0eb78.exe	30
PID 2996 wrote to memory of 2636	2996	1ba4ce14a4b79c157cecb9c1f4f0eb78.exe	30

C:\Users\Admin\AppData\Local\Temp\1ba4ce14a4b79c157cecb9c1f4f0eb78.exe
"C:\Users\Admin\AppData\Local\Temp\1ba4ce14a4b79c157cecb9c1f4f0eb78.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\1ba4ce14a4b79c157cecb9c1f4f0eb78.exe
  C:\Users\Admin\AppData\Local\Temp\1ba4ce14a4b79c157cecb9c1f4f0eb78.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1248
- C:\Users\Admin\AppData\Local\Temp\1ba4ce14a4b79c157cecb9c1f4f0eb78.exe
  C:\Users\Admin\AppData\Local\Temp\1ba4ce14a4b79c157cecb9c1f4f0eb78.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\69FE.F68

Filesize
600B

MD5
b8ed71cfb42037a4b2c96439f95f33b8

SHA1
c5a080605f8e8b6e57c2e52b2f489fe9133826e4

SHA256
da7338d809df52a71addab3a34e0d748e7196df6dfe250291201f61362b708f2

SHA512
eef24669ef0e7af1976e167c01fa19b7532c337a3dde14ad9d061b07111adb6f4c7897acb1ad4edde8facc307c0ceb9e0b962b760e2344895fb9c99828e21b67

Download Submit
C:\Users\Admin\AppData\Roaming\69FE.F68

Filesize
1KB

MD5
5797bd07785d19408cad2c5e3f08c21e

SHA1
acfbdf90267465a45b5e466d1c000e6f75279e2f

SHA256
c71100de9bfbf27cdfb520f342a3ba8c323d4f97d76a4858e64e842cf56cc6fd

SHA512
3be43c01699421dc33572c5ad5b8bfe39eb2e7da4339e958cd6704b148880a10d27d9516690f0539074cb2d0cc0391ef4195f6674e6832a79608d4d9971edb1a

Download Submit
C:\Users\Admin\AppData\Roaming\69FE.F68

Filesize
996B

MD5
c0ba85ded518bdde3f3d2701bb978bd7

SHA1
ce976a15fc87684be1b2cd9d3b8a0a81ed0d042d

SHA256
2c0f5dbdba164b839bad9b03f7ef7c33e5f2be81ff027b5ec08d0b43e3e04998

SHA512
5226836f7ba398ec42e1cd2336c196a6ceb9a7a5968dcb9394de51c8b959a3542d3a7661b8fbe62160dd4c7ef2b34173e63a23b25c1dbe7735b66ed9d01832b4

Download Submit
memory/1248-5-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1248-6-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1248-7-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2636-86-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2636-85-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2996-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2996-87-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2996-88-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2996-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2996-2-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2996-179-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads