6e7a973a2d334cdc4421ddf0247b318ee18f4431775e59ee98f0fe411361b4bd

General

Target

ac2c74939bb9419e3b843e96e066a27d.exe
Size

171KB
MD5

ac2c74939bb9419e3b843e96e066a27d
SHA1

6ca3f57f07804284910a14ea20892bb1c66c4f89
SHA256

6e7a973a2d334cdc4421ddf0247b318ee18f4431775e59ee98f0fe411361b4bd
SHA512

e68dc2cae6bd04d04be9ec2db65399bae94a64a5884a9e583dc87ee410aa7a4e0585e4bec2ae2ecb8ba2b02f712d024f29685d2566f28808eac439f1e011f554
SSDEEP

3072:16SzrU5NETm9rXt7e/WM3HzvBYaP9bMKR6ixzRMZzSL5GtzVvh:16ziUrX8/DT5YaP9oo6czEZVh

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1768-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3004-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3004-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1768-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2688-79-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2688-80-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1768-82-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3004-146-0x00000000002D0000-0x00000000003D0000-memory.dmp	upx
behavioral1/memory/1768-180-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1768-183-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	ac2c74939bb9419e3b843e96e066a27d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 3004	1768	ac2c74939bb9419e3b843e96e066a27d.exe	28
PID 1768 wrote to memory of 3004	1768	ac2c74939bb9419e3b843e96e066a27d.exe	28
PID 1768 wrote to memory of 3004	1768	ac2c74939bb9419e3b843e96e066a27d.exe	28
PID 1768 wrote to memory of 3004	1768	ac2c74939bb9419e3b843e96e066a27d.exe	28
PID 1768 wrote to memory of 2688	1768	ac2c74939bb9419e3b843e96e066a27d.exe	30
PID 1768 wrote to memory of 2688	1768	ac2c74939bb9419e3b843e96e066a27d.exe	30
PID 1768 wrote to memory of 2688	1768	ac2c74939bb9419e3b843e96e066a27d.exe	30
PID 1768 wrote to memory of 2688	1768	ac2c74939bb9419e3b843e96e066a27d.exe	30

C:\Users\Admin\AppData\Local\Temp\ac2c74939bb9419e3b843e96e066a27d.exe
"C:\Users\Admin\AppData\Local\Temp\ac2c74939bb9419e3b843e96e066a27d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\ac2c74939bb9419e3b843e96e066a27d.exe
  C:\Users\Admin\AppData\Local\Temp\ac2c74939bb9419e3b843e96e066a27d.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\ac2c74939bb9419e3b843e96e066a27d.exe
  C:\Users\Admin\AppData\Local\Temp\ac2c74939bb9419e3b843e96e066a27d.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\34D8.F5C

Filesize
1KB

MD5
743481a934f1caf02fbb74ee57747bf2

SHA1
db7c624f516bf229ad91f1dc80d3617742fb2b1b

SHA256
f4a4cd706576588836a6db6ecc089b83be5ef81f922078ff63a74c8e3d5358ad

SHA512
4664a2d32f11cb47439bdf9f6578fc2cb3d2d181c57226b31e67b98c90096d15c2bfa37d5668062e86863c2680492a68062f1d650ffddcb9dfe86a7793713775

Download Submit
C:\Users\Admin\AppData\Roaming\34D8.F5C

Filesize
600B

MD5
3b670f4432696b1d23c4fe6284e47e8b

SHA1
10ef6e7d074b0761369eff90ff0e762e1c1b4ba4

SHA256
fea68143255d5aca5883ad2ce6a265b9197721baf6923056a052aae075944093

SHA512
291f8d106baff981a988efb4c54908e703d3554d4c1203ac7d16a2db43d61de631608c15ca26b776de895bac1096159a26715a64d039606751af9e369eb4893c

Download Submit
C:\Users\Admin\AppData\Roaming\34D8.F5C

Filesize
996B

MD5
891bac013c48b8c1e8c544c8e0c3d106

SHA1
cbbec8dfd8e274465e189131da2f6a60f0b6f380

SHA256
fb79f496e2dda45685f4a3b4f8deaefe49558e71d85d14b10195d5d597de17ee

SHA512
8df652a6b47e98fb85b8cc7d2a35e33100ece99165239c3d9019bc9ccff8874bfe063b020c4d56f030c5a81308eeeffe4de1cdd7846ad2e10e9a23371c66cfd8

Download Submit
memory/1768-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1768-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1768-183-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1768-180-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1768-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1768-2-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1768-83-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/2688-81-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2688-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2688-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3004-146-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/3004-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3004-14-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/3004-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads