88c6c375c6c140305bf20582f26f69173cd0693cf60b37ee141990c0d42ce264

General

Target

add254f1f9f21cd8ce1111d873512785.exe
Size

119KB
MD5

add254f1f9f21cd8ce1111d873512785
SHA1

f3397fc9b637b15db75cb60d8b7de479cbad8292
SHA256

88c6c375c6c140305bf20582f26f69173cd0693cf60b37ee141990c0d42ce264
SHA512

b2c83f95b10fb2348c9f6ce37e6dc3a1e931b314101e9382689c8b5e5e205b336ccfb9f0d67b21b50c905541f563bd784266cfe4cd8d9389f1491b50f1f741b4
SSDEEP

1536:1+aX3clImYqyRFx2UXzXdbHK4pMohhOw6zqXzistdQkNmLhzJfeGSOum4rD2r2DE:1+63cYRSURXMo6dmXSaexSOfEatxu

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-1-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2620-5-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2940-9-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/1840-66-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2940-68-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2620-125-0x00000000005B0000-0x00000000006B0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	add254f1f9f21cd8ce1111d873512785.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2620	2940	add254f1f9f21cd8ce1111d873512785.exe	28
PID 2940 wrote to memory of 2620	2940	add254f1f9f21cd8ce1111d873512785.exe	28
PID 2940 wrote to memory of 2620	2940	add254f1f9f21cd8ce1111d873512785.exe	28
PID 2940 wrote to memory of 2620	2940	add254f1f9f21cd8ce1111d873512785.exe	28
PID 2940 wrote to memory of 1840	2940	add254f1f9f21cd8ce1111d873512785.exe	30
PID 2940 wrote to memory of 1840	2940	add254f1f9f21cd8ce1111d873512785.exe	30
PID 2940 wrote to memory of 1840	2940	add254f1f9f21cd8ce1111d873512785.exe	30
PID 2940 wrote to memory of 1840	2940	add254f1f9f21cd8ce1111d873512785.exe	30

C:\Users\Admin\AppData\Local\Temp\add254f1f9f21cd8ce1111d873512785.exe
"C:\Users\Admin\AppData\Local\Temp\add254f1f9f21cd8ce1111d873512785.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\add254f1f9f21cd8ce1111d873512785.exe
  C:\Users\Admin\AppData\Local\Temp\add254f1f9f21cd8ce1111d873512785.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\add254f1f9f21cd8ce1111d873512785.exe
  C:\Users\Admin\AppData\Local\Temp\add254f1f9f21cd8ce1111d873512785.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1416.FBC

Filesize
1KB

MD5
d9cd40c447942b3d07eef29402597170

SHA1
ef7dc266589fe17a0d98d26d901d83bcd56bec96

SHA256
f8ff95e75add72780a689d9f79ef78b2e6331a95ab165af6511e055ed7d2e495

SHA512
670d80aba421f5e998a13f7573ed8612f1d635438845bcabd840f1d47b9a0b721a39ce1be2bca0ced9e5b17915073827b706d7de7f248ab117bd1aa2d55890ef

Download Submit
C:\Users\Admin\AppData\Roaming\1416.FBC

Filesize
300B

MD5
291157c24e5ea8bef56056014da42e0d

SHA1
3fedcb2b9c4d934bbb6789f98fd4e11076983c21

SHA256
0806b97a1e020a3ca03bf804f87b1a125c6ddacded262336e59915a6d4374bc4

SHA512
6d64b34454015d2c0e7a741adfb3e3b82dd39561a4fd814ca01759de49f14c169ce61c5b0a29e6c0f74e24503ecd13604e7c0c7bd83229a0fe211cca0ffe2953

Download Submit
C:\Users\Admin\AppData\Roaming\1416.FBC

Filesize
696B

MD5
dac97233d50a2e4d97b88faaf8d40f86

SHA1
ba457dd1f6cc0b48230b935fd613f2091aa7de55

SHA256
d5a0626586b8727fd6e7eea681700ab7507ef969f91295e8a68546c893387ff5

SHA512
26ab0734b1f5c41a01279cbd51a690d7461fae5b63cd12e27abbaf55b94d881492c9a92bfdb9e0d4eae44ed544e35b679c1fadcc4fde9aab5d81241888ec3810

Download Submit
memory/1840-66-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1840-67-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2620-6-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2620-5-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2620-125-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2940-9-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2940-1-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2940-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2940-69-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2940-3-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads