dc74706c05f9ae8a04cde9d2226a32c27cb0eea5a8b9e864dc51815018e3bcae

General

Target

2d1629dd1ac8de64defb3a44f628389e.exe
Size

168KB
MD5

2d1629dd1ac8de64defb3a44f628389e
SHA1

bade116d0bc6ff5e19e9170693b16d50064cfd28
SHA256

dc74706c05f9ae8a04cde9d2226a32c27cb0eea5a8b9e864dc51815018e3bcae
SHA512

e02990bc677c7497decd6822d0c32f50d5aa8c1572e276ed940a5e7f58dfc4b4e0f1577ed967c7ce88ac1ed9c5d5fbb3c64f86476739a6c2d71d7ba0a8da3732
SSDEEP

3072:RvhfC9Tl573lM/tl9TK8q9KtpCIsHwiHQ5SDEjfOWhUmkNl7PM9mWVsFZS:jfCg0ApCI5t0AjzhCNl7PkmDFZS

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2300-2-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2856-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2300-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2300-15-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1624-77-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1624-79-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2300-80-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2856-81-0x00000000002B0000-0x00000000003B0000-memory.dmp	upx
behavioral1/memory/2300-176-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2300-211-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2300-212-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	2d1629dd1ac8de64defb3a44f628389e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2856	2300	2d1629dd1ac8de64defb3a44f628389e.exe	27
PID 2300 wrote to memory of 2856	2300	2d1629dd1ac8de64defb3a44f628389e.exe	27
PID 2300 wrote to memory of 2856	2300	2d1629dd1ac8de64defb3a44f628389e.exe	27
PID 2300 wrote to memory of 2856	2300	2d1629dd1ac8de64defb3a44f628389e.exe	27
PID 2300 wrote to memory of 1624	2300	2d1629dd1ac8de64defb3a44f628389e.exe	31
PID 2300 wrote to memory of 1624	2300	2d1629dd1ac8de64defb3a44f628389e.exe	31
PID 2300 wrote to memory of 1624	2300	2d1629dd1ac8de64defb3a44f628389e.exe	31
PID 2300 wrote to memory of 1624	2300	2d1629dd1ac8de64defb3a44f628389e.exe	31

C:\Users\Admin\AppData\Local\Temp\2d1629dd1ac8de64defb3a44f628389e.exe
"C:\Users\Admin\AppData\Local\Temp\2d1629dd1ac8de64defb3a44f628389e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\2d1629dd1ac8de64defb3a44f628389e.exe
  C:\Users\Admin\AppData\Local\Temp\2d1629dd1ac8de64defb3a44f628389e.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\2d1629dd1ac8de64defb3a44f628389e.exe
  C:\Users\Admin\AppData\Local\Temp\2d1629dd1ac8de64defb3a44f628389e.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A50A.4F6

Filesize
1KB

MD5
cac6f54996eb290da7f86bebf033a3d1

SHA1
4fb521b0289cc8f25ec323c72efd09cb02a913b5

SHA256
841aeda5f5b120478d8fe306f8842f85f4d0043073572e726639355134cb17b8

SHA512
4366497a2a6076948e4f038d87ec748e55395789aa85f708709ec2b8f3ebe97ad8a1f2b863bf9274096dda1276471d9a814e42030994b1f7c8bbaa4e6c5aea02

Download Submit
C:\Users\Admin\AppData\Roaming\A50A.4F6

Filesize
600B

MD5
a5eb730296202d3e40b3551b83ed5820

SHA1
dff0727080b846e15fa166746fcbe281a141a9c6

SHA256
33a0746bad74895f570dc194caf22542ec9fc9e79a966dd9e0871e4123312313

SHA512
275a0ff054e41eb70d0cb8ec8831f03c00dee7cd74eb88503d89c53d677fc38d374bf9db82079a8097e6c1a1b76ea108a0b9cc3c3580081bd2a4a412760564e1

Download Submit
C:\Users\Admin\AppData\Roaming\A50A.4F6

Filesize
996B

MD5
3050f18159e12227b210bc2125839064

SHA1
02873241362b4db71ed7688846b240f65b4d5ceb

SHA256
3e0b89a3126b04ff22733003a4182a16f150b521f22ca98a8cb621972355fe48

SHA512
8bed8ad1c24ebd6d8bfafe888757cc5cb689552f8145c5ff3c60a3326feeb611e09963783172f2faca3e8d70943fae87ec2ce7af913368dc1bbf21322a1b02cd

Download Submit
memory/1624-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1624-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1624-78-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2300-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-71-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2300-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-3-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2856-8-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2856-81-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2856-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads