e68fcfd1e7bc76c54c0e4dee8366871640d4035c7045e383eb4f6df65e075e79

General

Target

4cca065bb0330dffce620cf47d0aeb39.exe
Size

176KB
MD5

4cca065bb0330dffce620cf47d0aeb39
SHA1

3319bf811d95207384609d7fa0278cdc14500718
SHA256

e68fcfd1e7bc76c54c0e4dee8366871640d4035c7045e383eb4f6df65e075e79
SHA512

744dd819f25abdff78d04b0c3d8875e936cdf17f3434ceaf3de377cd8e07e6e1304dc4288232743505b5ea2f8fc5301cae6e1b6a1fbbe56ac23f41958e6d80a2
SSDEEP

3072:TuAPwqxrVzjpz1in36COUxRKqovt7ecDU9FUxtKmRl7nb4luO2I:p7ztzQD5AFdDUIxR64O2

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/724-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3096-8-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/724-117-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1788-118-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/724-141-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/724-225-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/724-304-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/724-329-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/724-482-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	4cca065bb0330dffce620cf47d0aeb39.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 3096	724	4cca065bb0330dffce620cf47d0aeb39.exe	89
PID 724 wrote to memory of 3096	724	4cca065bb0330dffce620cf47d0aeb39.exe	89
PID 724 wrote to memory of 3096	724	4cca065bb0330dffce620cf47d0aeb39.exe	89
PID 724 wrote to memory of 1788	724	4cca065bb0330dffce620cf47d0aeb39.exe	100
PID 724 wrote to memory of 1788	724	4cca065bb0330dffce620cf47d0aeb39.exe	100
PID 724 wrote to memory of 1788	724	4cca065bb0330dffce620cf47d0aeb39.exe	100

C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe
"C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:724
- C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe
  C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:3096
- C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe
  C:\Users\Admin\AppData\Local\Temp\4cca065bb0330dffce620cf47d0aeb39.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D305.243

Filesize
996B

MD5
f25e58cf2b4366e669884e4afd6b22e1

SHA1
19352334b1689e1fea957dd86e968699ec6c2dca

SHA256
545f1795ea40d86ec4649d7b05a0291d5aa2d0ed2695db9f872408f798ae765d

SHA512
ce55251a249991182d9047ce56d42b0cef72b7c0dd66380f54ee0fcb8983d5a64283f0473e8e6aa477c5d3f734e805153504b597fbbddf80400924198e1e14f8

Download Submit
C:\Users\Admin\AppData\Roaming\D305.243

Filesize
600B

MD5
5906b5d42135655dd4b73747de03048c

SHA1
17477d0298780b341f9233a7795facad76af751a

SHA256
126a826e9ce33e672b1d88f4f3a16dc489c05e8e355fa8eb9c61a96b7dab2c67

SHA512
283ddf0b9cf922e6122eacfa922d2c0649ef884a232a690d4ef85c80c7531c59ad5ba790a197a88fa9acab26bcca7e2af302a8fc451398dd6192c49047727998

Download Submit
C:\Users\Admin\AppData\Roaming\D305.243

Filesize
1KB

MD5
85330ffc981558b94c79872edfee8e0c

SHA1
f1bb67befa1c5477df2af331db4882b780ace236

SHA256
b1d29d472f167f769173310e7747747e03564d5682adf7b416cb6b8e9d8b0c04

SHA512
64915b427f036123a31214906c60d940b1a7f9dd42ee87fdf358c95f095742d714844b779922e000a36cb86e6b07a32d347646e8b070a61a82d0c4e2e2f2eeee

Download Submit
memory/724-225-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/724-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/724-117-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/724-482-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/724-329-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/724-304-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/724-141-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/724-142-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/724-2-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/1788-120-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/1788-255-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/1788-118-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3096-8-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3096-9-0x0000000000496000-0x00000000004B1000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads