e0f046188e32e9793108675a8b8e8d389860c12cba5dda1b1d6c3510aa3b0689

General

Target

75061c1443020392bb408d05e9e8203e.exe
Size

182KB
MD5

75061c1443020392bb408d05e9e8203e
SHA1

83c5907f824aab2ebb3c76f81f2575fab2eb5eb9
SHA256

e0f046188e32e9793108675a8b8e8d389860c12cba5dda1b1d6c3510aa3b0689
SHA512

bdf7a7a2fc5a2ae9de2d348273eea84b7c285e971199602586d6e9c1867daaf36bc9217a4cb554452840ea06d06176a61cdfaf344553e29ed3bab8fb771968d3
SSDEEP

3072:TB2HmnnGG0yqG3jBOsdrrnPPw98kdW3yiQAkhYnXrHcnqlHYdOgvu5HG:F2GnCA3NlVrPI9AWhYnXr8qlHY3uRG

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2232-1-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1804-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2232-71-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2500-70-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2232-73-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2232-132-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2232-164-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2232-167-0x0000000000400000-0x000000000044E000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

75061c1443020392bb408d05e9e8203e.exe

description	pid	process	target process
PID 2232 wrote to memory of 1804	2232	75061c1443020392bb408d05e9e8203e.exe	75061c1443020392bb408d05e9e8203e.exe
PID 2232 wrote to memory of 1804	2232	75061c1443020392bb408d05e9e8203e.exe	75061c1443020392bb408d05e9e8203e.exe
PID 2232 wrote to memory of 1804	2232	75061c1443020392bb408d05e9e8203e.exe	75061c1443020392bb408d05e9e8203e.exe
PID 2232 wrote to memory of 1804	2232	75061c1443020392bb408d05e9e8203e.exe	75061c1443020392bb408d05e9e8203e.exe
PID 2232 wrote to memory of 2500	2232	75061c1443020392bb408d05e9e8203e.exe	75061c1443020392bb408d05e9e8203e.exe
PID 2232 wrote to memory of 2500	2232	75061c1443020392bb408d05e9e8203e.exe	75061c1443020392bb408d05e9e8203e.exe
PID 2232 wrote to memory of 2500	2232	75061c1443020392bb408d05e9e8203e.exe	75061c1443020392bb408d05e9e8203e.exe
PID 2232 wrote to memory of 2500	2232	75061c1443020392bb408d05e9e8203e.exe	75061c1443020392bb408d05e9e8203e.exe

C:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exe
"C:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exe
C:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
2⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exe
C:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
2⤵
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F721.445
Filesize
1KB

MD5
f4e43bd160d5013508997fd9d6a92115

SHA1
fd38d9f7fe10dfe7853d2c06cad50cc8badaa967

SHA256
6b740386116b1d6827538fbe43c1c6a2e5a0f260ce5ea32b85be184a0f10818a

SHA512
c82728e2c3ddb0c7c6ee4913fd365715ab196489a837682b6ce219783612ce68b67f385ed01997b0470e2230515ffb0de203d302582e3227777d97c3bfb8d829

Download Submit
C:\Users\Admin\AppData\Roaming\F721.445
Filesize
600B

MD5
58755588f25fe9edd764b7d00b056788

SHA1
ec0c0833ebcdb35b2f4bfd2436932a5f5587fabc

SHA256
3b9c4d3fc5775430722946b0923e5940abbc0728ef91a31e738fe5c61d880148

SHA512
e4d8a157865b3f048657e0a9ec8e87334063f3b6afdf52db8b83a498b20552a50ac71e2ab6ca47c1ac7290014ce453a5644a96ffda7c40778b06a4776528feed

Download Submit
memory/1804-13-0x0000000000276000-0x0000000000291000-memory.dmp

Filesize
108KB

Download
memory/1804-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2232-74-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2232-71-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2232-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2232-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2232-3-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2232-132-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2232-164-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2232-167-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2500-70-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2500-72-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing