e80a4fa530d1fbe9bce9079616313f27cc6ba93a785b63f68b725df2104fd54e

General

Target

8ecbffd0f3c2066d34a422c396e521e9.exe
Size

172KB
MD5

8ecbffd0f3c2066d34a422c396e521e9
SHA1

6dc476adc3b784397d5aeb159d1d5efc39a7b9ab
SHA256

e80a4fa530d1fbe9bce9079616313f27cc6ba93a785b63f68b725df2104fd54e
SHA512

052deb79e7e3f9a7cf4a16b92a94578f508899d30fb1b0c7a7c32236086a2754e36d6215d4c9c7603afdb5a79f461ada1c6de98aef5f6ff269e3545ef3718681
SSDEEP

3072:u/v728UhFHgZk+YRAqOkEA+A62Nc0qh66Vq0v60r5M7BZfYOWfrL/4:uq8AAZk+Y5Ocd+Rv60rk4RrT

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2820-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1956-83-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2232-84-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2232-86-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2232-180-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2232-184-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2820	2232	8ecbffd0f3c2066d34a422c396e521e9.exe	28
PID 2232 wrote to memory of 2820	2232	8ecbffd0f3c2066d34a422c396e521e9.exe	28
PID 2232 wrote to memory of 2820	2232	8ecbffd0f3c2066d34a422c396e521e9.exe	28
PID 2232 wrote to memory of 2820	2232	8ecbffd0f3c2066d34a422c396e521e9.exe	28
PID 2232 wrote to memory of 1956	2232	8ecbffd0f3c2066d34a422c396e521e9.exe	30
PID 2232 wrote to memory of 1956	2232	8ecbffd0f3c2066d34a422c396e521e9.exe	30
PID 2232 wrote to memory of 1956	2232	8ecbffd0f3c2066d34a422c396e521e9.exe	30
PID 2232 wrote to memory of 1956	2232	8ecbffd0f3c2066d34a422c396e521e9.exe	30

C:\Users\Admin\AppData\Local\Temp\8ecbffd0f3c2066d34a422c396e521e9.exe
"C:\Users\Admin\AppData\Local\Temp\8ecbffd0f3c2066d34a422c396e521e9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\8ecbffd0f3c2066d34a422c396e521e9.exe
  C:\Users\Admin\AppData\Local\Temp\8ecbffd0f3c2066d34a422c396e521e9.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\8ecbffd0f3c2066d34a422c396e521e9.exe
  C:\Users\Admin\AppData\Local\Temp\8ecbffd0f3c2066d34a422c396e521e9.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7814.D9E

Filesize
1KB

MD5
82d57e2925ee3aa68d311e2cf1c9162d

SHA1
99ab9f84c6985c5be314ff343179a855768f6ced

SHA256
d9f4c09855bfe75266dc8d500aafddba3ac6f238ee5c82e5989d407e8ca5dee4

SHA512
cb29a2f67b39561ebd110bc4b52c0a30cb2b9b246d377cbc6498814a212295d457e4227c61fc26145d0f3135391b86026bf7183cdbf12d26bd44bd172d7b46e8

Download Submit
C:\Users\Admin\AppData\Roaming\7814.D9E

Filesize
600B

MD5
824d57136e0164bb7c54e02112cd9e64

SHA1
7aced3769e3d9d142a881873c695b31020793d58

SHA256
119c4e28626b76711aa693de75798fb7fbddd61db86830920b5f1b03da15be73

SHA512
ab17d02ef49f5e402f222b6fb67685a8b1f426322d53c0902f665c4c5d9850c67a7b21c9d2cac7dbea7c643bf705dfa7fbcfd416130070245d9dbd7e0d886353

Download Submit
C:\Users\Admin\AppData\Roaming\7814.D9E

Filesize
996B

MD5
670d62116c1b2db28fba1b9f8c588403

SHA1
58e25a665f216d7a1dfc285613b55ff8d0703ac8

SHA256
30c3ca9cf98f9cb641d1ec277e77444a39b1e54cf39412b909c9db977b7d58db

SHA512
91d1f6716795c16b9180c9728016a7a3018fd005a2c6ba255ab5d5cc97233d3c348b2a0ab91b219aa571dd50e1248339ae3bb6712b3b8241322fd1598f6738e7

Download Submit
memory/1956-85-0x00000000002B5000-0x00000000002CF000-memory.dmp

Filesize
104KB

Download
memory/1956-83-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2232-86-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2232-84-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2232-3-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2232-87-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2232-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2232-180-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2232-184-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2820-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2820-13-0x0000000000915000-0x000000000092F000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing