cf2fcbc85af3ca823e86834ffec235609265ea84684c834408d6c35cdb5e9c2e

General

Target

abdc9d10a25586602325773d913d3119.exe
Size

188KB
MD5

abdc9d10a25586602325773d913d3119
SHA1

20fb0d68afb6c58fb4269856294e97918614167c
SHA256

cf2fcbc85af3ca823e86834ffec235609265ea84684c834408d6c35cdb5e9c2e
SHA512

f17aa1e11367f95fae1d26d9c5487698bceb823b1caf859186ef57aaf822d02904f8b32b133065f21401a33699d74dbf22d7b78d4b8b435362bf7109d64cd9a0
SSDEEP

3072:HDtMuqWPlBbSN11VB8z6AZsulG7reAu/NYMse9X2mI5o0ARlpw0Sayn52siSo9qs:HD+urNEjB8z1yu+eAu/WM3t2mI5Ile0W

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2040-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1732-5-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1496-77-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2040-79-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2040-182-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2040-187-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	abdc9d10a25586602325773d913d3119.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1732	2040	abdc9d10a25586602325773d913d3119.exe	28
PID 2040 wrote to memory of 1732	2040	abdc9d10a25586602325773d913d3119.exe	28
PID 2040 wrote to memory of 1732	2040	abdc9d10a25586602325773d913d3119.exe	28
PID 2040 wrote to memory of 1732	2040	abdc9d10a25586602325773d913d3119.exe	28
PID 2040 wrote to memory of 1496	2040	abdc9d10a25586602325773d913d3119.exe	30
PID 2040 wrote to memory of 1496	2040	abdc9d10a25586602325773d913d3119.exe	30
PID 2040 wrote to memory of 1496	2040	abdc9d10a25586602325773d913d3119.exe	30
PID 2040 wrote to memory of 1496	2040	abdc9d10a25586602325773d913d3119.exe	30

C:\Users\Admin\AppData\Local\Temp\abdc9d10a25586602325773d913d3119.exe
"C:\Users\Admin\AppData\Local\Temp\abdc9d10a25586602325773d913d3119.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\abdc9d10a25586602325773d913d3119.exe
  C:\Users\Admin\AppData\Local\Temp\abdc9d10a25586602325773d913d3119.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\abdc9d10a25586602325773d913d3119.exe
  C:\Users\Admin\AppData\Local\Temp\abdc9d10a25586602325773d913d3119.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\36A0.750

Filesize
1KB

MD5
3a9e31c9cfaab43d3e611206d6e40a4f

SHA1
795f0e9fdf4812dfab937e2496f395105958f0d6

SHA256
01317ad0499d554538384714c39de4d2a005e8aaf54054bdd67d567dfc2a1f47

SHA512
e7c65b352e8d118a9795afe821ab33bbb556110b18fba978dcfe7ef76ad328840a242e1947bbf39fcf9f0c9185baf2fc1016a26d0da8d8f05b669cd7573bd07b

Download Submit
C:\Users\Admin\AppData\Roaming\36A0.750

Filesize
600B

MD5
642551e5762e6a08a364c9fdb9d2f7a5

SHA1
18d3dde806957a4b9ed9b7afd7de3d8fccfaf395

SHA256
722fdba51907ef69ab5a017b38cd17d8152e5582e22aed9d80bdbefad83fb54f

SHA512
784f4f5e0b5bf973762817e14e453840e73a762ca8e15de24220f40afd29a34f567e607508ed92b6d58965588530fdb546b1a78000c5ac9c417e64d9cf6d6cb8

Download Submit
C:\Users\Admin\AppData\Roaming\36A0.750

Filesize
996B

MD5
298af590b05398b33a0ed3126a57dc00

SHA1
7333cab8e821a7aba6c6d3bd8f53bccef2327c2a

SHA256
d22b7742f32f517bf0d2fea705511efa88df633b3f5f4db5c0004a24f55ec0f7

SHA512
21f029f6825d321cf22a60803dd63931b9264dcd79b129475857f6089724b19e27b155a84d39bce92a426c3cc994a5f57562cdc533f8be362179a112e942681b

Download Submit
memory/1496-78-0x0000000000516000-0x0000000000542000-memory.dmp

Filesize
176KB

Download
memory/1496-77-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1732-6-0x0000000000296000-0x00000000002C2000-memory.dmp

Filesize
176KB

Download
memory/1732-5-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2040-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2040-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2040-80-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2040-3-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2040-182-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2040-187-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads