3f029d27ce89aec05460a4145a4a88f23e53490a1025da16eccb197942d32e65

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfce29ec3622929372cf722866c7e539.exe
Size

364KB
MD5

bfce29ec3622929372cf722866c7e539
SHA1

ed1c29697f8ce95c3874b5a2ffb2916591590136
SHA256

3f029d27ce89aec05460a4145a4a88f23e53490a1025da16eccb197942d32e65
SHA512

db2e763d096e83ab2c6a19fe25fc3fa7b59f9e3fa3d01a0c93178b72e036660b10f1255176dad46d430a757e007c5473104eb86de565ac50907e1259c971532f
SSDEEP

6144:vdnIz2AMyzRJd7cGyMvNDGkOWXnlzrhPHTJj5o7Aw2x7E2KkeTW3MFoSUc1Y:vdnIoyzRXXRv1Wkl3hPH7o7A7EweTW8i

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3004-0-0x0000000000980000-0x0000000000AB3000-memory.dmp	upx
behavioral1/memory/3004-1-0x0000000000980000-0x0000000000AB3000-memory.dmp	upx
behavioral1/memory/3004-10-0x0000000000980000-0x0000000000AB3000-memory.dmp	upx
behavioral1/files/0x000b000000018b6a-12.dat	upx

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2268	3004	bfce29ec3622929372cf722866c7e539.exe	28
PID 3004 wrote to memory of 2268	3004	bfce29ec3622929372cf722866c7e539.exe	28
PID 3004 wrote to memory of 2268	3004	bfce29ec3622929372cf722866c7e539.exe	28
PID 3004 wrote to memory of 2268	3004	bfce29ec3622929372cf722866c7e539.exe	28

C:\Users\Admin\AppData\Local\Temp\bfce29ec3622929372cf722866c7e539.exe
"C:\Users\Admin\AppData\Local\Temp\bfce29ec3622929372cf722866c7e539.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\428.bat
  2⤵
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\428.bat

Filesize
175B

MD5
ad0b04a88ce93fa942b04df14e7a6fab

SHA1
e663e9641b1234b76de8d8fae4c4abb9d2f15fec

SHA256
75f48e790eb745808a29b3b032983da61b0af28b4f5fde852a3674ab319cd863

SHA512
683d23b0605e450fe000bca8d9d3a1cb0ace4d140298daf703822c303e538487e47c2000d3382fa0b74dde85c0ef9680fa11ca1430513d8ee5209abf39f82f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\43376.exe

Filesize
364KB

MD5
bfce29ec3622929372cf722866c7e539

SHA1
ed1c29697f8ce95c3874b5a2ffb2916591590136

SHA256
3f029d27ce89aec05460a4145a4a88f23e53490a1025da16eccb197942d32e65

SHA512
db2e763d096e83ab2c6a19fe25fc3fa7b59f9e3fa3d01a0c93178b72e036660b10f1255176dad46d430a757e007c5473104eb86de565ac50907e1259c971532f

Download Submit
memory/3004-0-0x0000000000980000-0x0000000000AB3000-memory.dmp

Filesize
1.2MB

Download
memory/3004-1-0x0000000000980000-0x0000000000AB3000-memory.dmp

Filesize
1.2MB

Download
memory/3004-10-0x0000000000980000-0x0000000000AB3000-memory.dmp

Filesize
1.2MB

Download