78f1f4642c5b308ba1c4f5d1373128f5b440141b4591518294f46d19b045da73

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f2f53987a393d26762f0347e519a16f.exe
Size

180KB
MD5

8f2f53987a393d26762f0347e519a16f
SHA1

54e9c8a444df8de563673e58c8350001b7aee0dc
SHA256

78f1f4642c5b308ba1c4f5d1373128f5b440141b4591518294f46d19b045da73
SHA512

b88aa8e9b61c213e45ef0575d02e840b639aa908167de68bd37f52a0dd79c7c6d49a7d6fb65bc9c9630730164ed4d259e86e0532895ae800aee86c8199ebba1f
SSDEEP

3072:iob9+1DPNC2QoXq4jbHyrlgNtv5/vt9PxEuwXYnWrorK4o1CszpXawA1:iobIFVCY/HQ4tv5/NGvsHo1Csz

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/468-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/808-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/468-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4620-117-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/468-306-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 808	468	8f2f53987a393d26762f0347e519a16f.exe	84
PID 468 wrote to memory of 808	468	8f2f53987a393d26762f0347e519a16f.exe	84
PID 468 wrote to memory of 808	468	8f2f53987a393d26762f0347e519a16f.exe	84
PID 468 wrote to memory of 4620	468	8f2f53987a393d26762f0347e519a16f.exe	90
PID 468 wrote to memory of 4620	468	8f2f53987a393d26762f0347e519a16f.exe	90
PID 468 wrote to memory of 4620	468	8f2f53987a393d26762f0347e519a16f.exe	90

C:\Users\Admin\AppData\Local\Temp\8f2f53987a393d26762f0347e519a16f.exe
"C:\Users\Admin\AppData\Local\Temp\8f2f53987a393d26762f0347e519a16f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\8f2f53987a393d26762f0347e519a16f.exe
  C:\Users\Admin\AppData\Local\Temp\8f2f53987a393d26762f0347e519a16f.exe startC:\Program Files (x86)\LP\4683\4A2.exe%C:\Program Files (x86)\LP\4683
  2⤵
  PID:808
- C:\Users\Admin\AppData\Local\Temp\8f2f53987a393d26762f0347e519a16f.exe
  C:\Users\Admin\AppData\Local\Temp\8f2f53987a393d26762f0347e519a16f.exe startC:\Users\Admin\AppData\Roaming\3EE76\2F446.exe%C:\Users\Admin\AppData\Roaming\3EE76
  2⤵
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3EE76\637A.EE7

Filesize
996B

MD5
d272d4315289f518cfa239e9ae1d67bb

SHA1
5ecad8ef55cc847164a16d7d546fa2d69513c8e9

SHA256
53b367107b1bce60e6cac9b6bba6445692ed95ed9758adfa670aa08ea9fbb956

SHA512
9068e32601fabb87b5a7d48bf7a3de38f206c3c519390ef21f854b52974b19af98af33bee01d2d77d6ebdbf44d0145b9f6ed643676481730c57cca76bdae8bda

Download Submit
C:\Users\Admin\AppData\Roaming\3EE76\637A.EE7

Filesize
600B

MD5
5f59c1948ee3c7a97561d58366da10bb

SHA1
bdee158edd11626865e6192f5a65b828ff1e6075

SHA256
82dca8a3ccef7da3cafe5aabf1dc60f9b786aaa4c2f7bfc153cc63fe4b0f1a06

SHA512
6b86680cf13dc51599a7754498940b4dea2a39571072303d6e48accc8a6ef9bb5719de3bb4c9ea81d56baf4c99b233f2b318ec537b830aded508b23f8e50ba6a

Download Submit
C:\Users\Admin\AppData\Roaming\3EE76\637A.EE7

Filesize
1KB

MD5
55a06982b5a7681d0448fa7c26fdeb23

SHA1
b774624415702b5099adf7127789feb7d4f735d4

SHA256
3a1b5a4a914579f5ab16407a7321d7e67772e4ed21c609e98113ee0f8258c47c

SHA512
79c38def5b81f5ae50274277ddc0b0c82b916946cf9751f9db8f6708b3da26b0721484e0c3c6c2522582abd8f2856644b51eec6a521efbbe655566308954caea

Download Submit
memory/468-3-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/468-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/468-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/468-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/468-239-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/468-306-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/808-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/808-14-0x0000000000784000-0x000000000079C000-memory.dmp

Filesize
96KB

Download
memory/4620-118-0x0000000000704000-0x000000000071C000-memory.dmp

Filesize
96KB

Download
memory/4620-117-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download