0b36624cac953680338d78a9b44ddfc6f6d154e3af8a688d77666509f3bf6210

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8b4daa476be92f979eb36349e07d521.exe
Size

43KB
MD5

c8b4daa476be92f979eb36349e07d521
SHA1

d221cffdc9d2949476be6421c0ee1eb85c0d03d1
SHA256

0b36624cac953680338d78a9b44ddfc6f6d154e3af8a688d77666509f3bf6210
SHA512

a7390abcce9f4f5a75222fe0377162a2276905c4b65df3a886b93b90fd278e06a366bd6e8e7e5b86fc42dbe3bb6b18bbcff25e0e4d8dfc4c4edf29c5b2f59048
SSDEEP

768:qrlUryIEY4OrX/NglR+eeMFxYxyou8Tigv1xI8i61DlCzs3sI5W8ZME:qGyIL4iNglM3Hx68mgv128XdQCP7

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1036-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1036-2-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1036-3-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1036-4-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1036-7-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\DrWatson\	c8b4daa476be92f979eb36349e07d521.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\MICROSOFT\DRWATSON	c8b4daa476be92f979eb36349e07d521.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 4064	1036	c8b4daa476be92f979eb36349e07d521.exe	98
PID 1036 wrote to memory of 4064	1036	c8b4daa476be92f979eb36349e07d521.exe	98
PID 1036 wrote to memory of 4064	1036	c8b4daa476be92f979eb36349e07d521.exe	98

C:\Users\Admin\AppData\Local\Temp\c8b4daa476be92f979eb36349e07d521.exe
"C:\Users\Admin\AppData\Local\Temp\c8b4daa476be92f979eb36349e07d521.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ProgDVBproLoader.cmd C:\Users\Admin\AppData\Local\Temp\ProgDVBproLoader.cmd
  2⤵
  PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ProgDVBproLoader.cmd

Filesize
22B

MD5
0e6757367c907b0be7861d0c7045260d

SHA1
d3940bbece178f750a6c3cd75a37db286cd71b16

SHA256
b51fd7bb61b6ce5fe1b09b256365711aa5d74207198b0afd327ec26066637655

SHA512
4724b6d65615f5dfff5f427589cbfb7312e0beb1fa6cc591e3f6cd231cf671235e24f67ef3acca5af5a58b22069a5d7e8ab96c838eb40fdbc6e090e9076bd482

Download Submit
memory/1036-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1036-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1036-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1036-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1036-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download