13b3c0dfc85647f81e74d6e6d9540fdc103719cdc1c1d76238938667509d10c6

General

Target

42ab80bea83ca28028ff6c0683112767.exe
Size

146KB
MD5

42ab80bea83ca28028ff6c0683112767
SHA1

5e6be4f5429c6af51f374d71ef6f6b8e5d770369
SHA256

13b3c0dfc85647f81e74d6e6d9540fdc103719cdc1c1d76238938667509d10c6
SHA512

292f9573246efa185783c66e2eb07b8e82dac47a822bb8f83d7ca01aba1e0742655bd8c0fcaade11230716766b7b309037fd6fb0a392e629f072282729d83bf0
SSDEEP

3072:wOpXym/FMyEGyg1qq5xQfJrcji3ZSgMFdnmufnWXJN/:1YGyW5+fJQutMFdPOD/

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-1-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2128-5-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2360-9-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/1376-78-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/1376-80-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2360-81-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2128-169-0x0000000000580000-0x0000000000680000-memory.dmp	upx
behavioral1/memory/2360-170-0x0000000000400000-0x0000000000436000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	42ab80bea83ca28028ff6c0683112767.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2128	2360	42ab80bea83ca28028ff6c0683112767.exe	28
PID 2360 wrote to memory of 2128	2360	42ab80bea83ca28028ff6c0683112767.exe	28
PID 2360 wrote to memory of 2128	2360	42ab80bea83ca28028ff6c0683112767.exe	28
PID 2360 wrote to memory of 2128	2360	42ab80bea83ca28028ff6c0683112767.exe	28
PID 2360 wrote to memory of 1376	2360	42ab80bea83ca28028ff6c0683112767.exe	30
PID 2360 wrote to memory of 1376	2360	42ab80bea83ca28028ff6c0683112767.exe	30
PID 2360 wrote to memory of 1376	2360	42ab80bea83ca28028ff6c0683112767.exe	30
PID 2360 wrote to memory of 1376	2360	42ab80bea83ca28028ff6c0683112767.exe	30

C:\Users\Admin\AppData\Local\Temp\42ab80bea83ca28028ff6c0683112767.exe
"C:\Users\Admin\AppData\Local\Temp\42ab80bea83ca28028ff6c0683112767.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\42ab80bea83ca28028ff6c0683112767.exe
  C:\Users\Admin\AppData\Local\Temp\42ab80bea83ca28028ff6c0683112767.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\42ab80bea83ca28028ff6c0683112767.exe
  C:\Users\Admin\AppData\Local\Temp\42ab80bea83ca28028ff6c0683112767.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2034.EAA

Filesize
300B

MD5
50cc1b1d42d71c09db11ddd640fa79e0

SHA1
5b90be323be998ee447973418d1acb2329541d7a

SHA256
d1bb41fe01e5b7e349b2c967154bd48581e690a6904ff8a43e13791fe47aac79

SHA512
d6dc87cd3bf8f3ac21a79cc58cd0594dedc2990291ee8bfa80768e179e3307e02f040552c1ea1eb8482377fda7f919debffc761e953d33c0834f9bf176011e9c

Download Submit
C:\Users\Admin\AppData\Roaming\2034.EAA

Filesize
1KB

MD5
122cc0dce5aad47bc0c603a5d7f773b2

SHA1
ba479005917b02fb2a05c70f780f19ca3c1357a7

SHA256
eff68ea10f16a380cc8f2429957a88a107f44aa261593b5e593c53a9b3d214cf

SHA512
86b419cf4a9a53a824dee6ef6b6100126c17e472651cabc4ebffd1996c5b5201893dbeef2866a3a1e3177b2e2899065218bbf7020b9ed83ee396c0411b047940

Download Submit
C:\Users\Admin\AppData\Roaming\2034.EAA

Filesize
696B

MD5
cbcb3d546bfecdec202adc43aa92c13f

SHA1
501e15238e56c0231af904f60ba563484fb982b0

SHA256
be1c036414cc7101d036c91758caa2e30bb24d00c57eb60bf171b275ce5fafa6

SHA512
eb13019002073cb27f1015f22f9b59271e020a44ad5621846dc562ff0d5529a96159c7ed2f03a80c5d26d38beca06341d0dc97c0706ba856fe8884a20b0dbc47

Download Submit
memory/1376-78-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1376-79-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1376-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2128-6-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2128-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2128-169-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2360-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2360-1-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2360-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2360-135-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2360-3-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2360-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads