e68fcfd1e7bc76c54c0e4dee8366871640d4035c7045e383eb4f6df65e075e79

General

Target

4cca065bb0330dffce620cf47d0aeb39.exe
Size

176KB
MD5

4cca065bb0330dffce620cf47d0aeb39
SHA1

3319bf811d95207384609d7fa0278cdc14500718
SHA256

e68fcfd1e7bc76c54c0e4dee8366871640d4035c7045e383eb4f6df65e075e79
SHA512

744dd819f25abdff78d04b0c3d8875e936cdf17f3434ceaf3de377cd8e07e6e1304dc4288232743505b5ea2f8fc5301cae6e1b6a1fbbe56ac23f41958e6d80a2
SSDEEP

3072:TuAPwqxrVzjpz1in36COUxRKqovt7ecDU9FUxtKmRl7nb4luO2I:p7ztzQD5AFdDUIxR64O2

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2576-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2236-77-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3052-76-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2236-146-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2236-183-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2236-184-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2236-191-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	4cca065bb0330dffce620cf47d0aeb39.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2576	2236	4cca065bb0330dffce620cf47d0aeb39.exe	15
PID 2236 wrote to memory of 2576	2236	4cca065bb0330dffce620cf47d0aeb39.exe	15
PID 2236 wrote to memory of 2576	2236	4cca065bb0330dffce620cf47d0aeb39.exe	15
PID 2236 wrote to memory of 2576	2236	4cca065bb0330dffce620cf47d0aeb39.exe	15
PID 2236 wrote to memory of 3052	2236	4cca065bb0330dffce620cf47d0aeb39.exe	30
PID 2236 wrote to memory of 3052	2236	4cca065bb0330dffce620cf47d0aeb39.exe	30
PID 2236 wrote to memory of 3052	2236	4cca065bb0330dffce620cf47d0aeb39.exe	30
PID 2236 wrote to memory of 3052	2236	4cca065bb0330dffce620cf47d0aeb39.exe	30

C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe
"C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe
  C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe
  C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B9F3.8E3

Filesize
1KB

MD5
eba211005968c00080e0cc528ce8565a

SHA1
5fb6512d6343adc52e83060a7b79c20d04524528

SHA256
04684fa2fefde79704f0d282600311419d0e8334cf9e502b7dea856d263bae37

SHA512
9f38d18efedf0efc4208b22193036c467eca5b9bae22f0329cd170950208d6d2dbf8eeac059741360810ea10ce8213ba2da422faa350c46ff11f4af1289ec645

Download Submit
C:\Users\Admin\AppData\Roaming\B9F3.8E3

Filesize
600B

MD5
11f585875f84359361be67d99c86868e

SHA1
0f7dfa5b63585c1d3a558ba856b36f4be7df1a6d

SHA256
53c2e5edb21c38a8dd64d538bd08ab373cd54b89efb10abc8cb8a8db04cfa5b6

SHA512
319aad7b10c3647b84de1df94f0f07afbb717e2a45ac3fbde783f93c2609b421fbe9ca327e50bcefba1f4406bfb5ddfdf865b0389d08aa276ca02c7758cab225

Download Submit
C:\Users\Admin\AppData\Roaming\B9F3.8E3

Filesize
996B

MD5
a39011cf6cfb4914b7f1cf79a47a3739

SHA1
e708a200216a65ecaa1b9b131ff4753412e14176

SHA256
aaa2391a5f3e6bd4d8e3ffb3af172058d140b4d45803e0bafd03e25ac2ceb70c

SHA512
96e5384859bb765c25b5fdcfcb59d90e4d135fefea5f7ec7a575256442b6982209c77ec5743deceeb3d7201c61e33231dff707cca921deefc08104cd19fe76c0

Download Submit
memory/2236-77-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2236-79-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2236-2-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2236-146-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2236-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2236-183-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2236-184-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2236-191-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2576-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2576-14-0x00000000002BC000-0x00000000002D7000-memory.dmp

Filesize
108KB

Download
memory/3052-78-0x000000000056C000-0x0000000000587000-memory.dmp

Filesize
108KB

Download
memory/3052-76-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads