e0b61ca2d58d5feb22ca259b7773ed584bff6ee07c1d1da7c6e61700926a4f8d

General

Target

49c9153d4515e88a2afc2d51feae2422.exe
Size

166KB
MD5

49c9153d4515e88a2afc2d51feae2422
SHA1

571baecd60787a733688f48e1a5450947d90697c
SHA256

e0b61ca2d58d5feb22ca259b7773ed584bff6ee07c1d1da7c6e61700926a4f8d
SHA512

62a6cb9919b6e39bbdf626af6f1e4460466b45032042b1f5a39afb07450dfa57fdd6cb330c39c5a4dcedd3efa73979d39943c5094d16e74a66db35e46afd0a9d
SSDEEP

3072:dq6j9G8ZNe6josCrviHwx2267RwnGVRh4hyESGPmM:Xj8+6vZl67k0shyESM

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2000-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2912-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2912-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2000-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1488-78-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1488-79-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2000-81-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2912-145-0x0000000000570000-0x0000000000670000-memory.dmp	upx
behavioral1/memory/1488-147-0x0000000000290000-0x0000000000390000-memory.dmp	upx
behavioral1/memory/2000-182-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2000-183-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	49c9153d4515e88a2afc2d51feae2422.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2912	2000	49c9153d4515e88a2afc2d51feae2422.exe	28
PID 2000 wrote to memory of 2912	2000	49c9153d4515e88a2afc2d51feae2422.exe	28
PID 2000 wrote to memory of 2912	2000	49c9153d4515e88a2afc2d51feae2422.exe	28
PID 2000 wrote to memory of 2912	2000	49c9153d4515e88a2afc2d51feae2422.exe	28
PID 2000 wrote to memory of 1488	2000	49c9153d4515e88a2afc2d51feae2422.exe	30
PID 2000 wrote to memory of 1488	2000	49c9153d4515e88a2afc2d51feae2422.exe	30
PID 2000 wrote to memory of 1488	2000	49c9153d4515e88a2afc2d51feae2422.exe	30
PID 2000 wrote to memory of 1488	2000	49c9153d4515e88a2afc2d51feae2422.exe	30

C:\Users\Admin\AppData\Local\Temp\49c9153d4515e88a2afc2d51feae2422.exe
"C:\Users\Admin\AppData\Local\Temp\49c9153d4515e88a2afc2d51feae2422.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\49c9153d4515e88a2afc2d51feae2422.exe
  C:\Users\Admin\AppData\Local\Temp\49c9153d4515e88a2afc2d51feae2422.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\49c9153d4515e88a2afc2d51feae2422.exe
  C:\Users\Admin\AppData\Local\Temp\49c9153d4515e88a2afc2d51feae2422.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3DE3.912

Filesize
1KB

MD5
700a6ddb9819b2ab0e5d11654e173ece

SHA1
3923b7b69ab5726f1daec113b78db92fcb7bf79a

SHA256
c686af073fc87b420c15af4cd773268449b0f4cd0b0d97b26e1452a07ac95843

SHA512
8f9e606e0479aed708e25c8a8fde2cb690f2dd556a33b58f70f6714ce850549411fcca98f1608aee2053f6b940d1f8d856dae22fb7c918f2591768acd8f55e18

Download Submit
C:\Users\Admin\AppData\Roaming\3DE3.912

Filesize
600B

MD5
ab3e61c1c49679a925773f36290a885e

SHA1
66aed04ef5ca346f15ca5bdfcebf84dc5f4b9d8b

SHA256
569cd5efe4a7e24de499d40c39424c0e4b374bd1fe8ca853a2c5a117af7da438

SHA512
9b7f7281fd6af45ebd9ba9146a31199b0a06efe1142e7400bdd89a0c062f41e1ff34b1cbdf5f20b93521223d54b5c219e745e1d23c5ec2176751e608406e8f5c

Download Submit
memory/1488-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1488-78-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1488-147-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1488-80-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2000-2-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2000-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2000-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2000-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2000-82-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2000-182-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2000-183-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2912-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2912-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2912-145-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2912-14-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads