1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5

General

Target

1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
Size

2.2MB
MD5

422ad9c53a86f687b230fde951fb5856
SHA1

17eb89de5f5a21b3e83497e74145613209bc3a86
SHA256

1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5
SHA512

d0cfae682aab7a15703b051bc879721d41276b8a22e9f69d9d2a0a40bdfea38cb1634340d3f93e2ce0f8f229798290820b7262e346ab88cf578a34489471c1e6
SSDEEP

49152:Tgxqu3RcnLHx7FHNwA5VRp/KQiGH+7W7WFDus/3BcSJir2Vn:EQLVFthRhiY7Cus/3F4qV

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3428-0-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp	UPX
behavioral2/memory/3428-1-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp	UPX
behavioral2/memory/3428-68-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp	UPX
behavioral2/memory/3428-71-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp	UPX

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3428-0-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp	upx
behavioral2/memory/3428-1-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp	upx
behavioral2/memory/3428-68-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp	upx
behavioral2/memory/3428-71-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Kills process with taskkill 1 IoCs

evasion

pid	Process
3112	taskkill.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
60	powershell.exe
60	powershell.exe
60	powershell.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	3112	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 60	3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe	110
PID 3428 wrote to memory of 60	3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe	110
PID 3428 wrote to memory of 456	3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe	112
PID 3428 wrote to memory of 456	3428	1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe	112
PID 456 wrote to memory of 3112	456	cmd.exe	114
PID 456 wrote to memory of 3112	456	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
"C:\Users\Admin\AppData\Local\Temp\1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C "taskkill /pid 1896 /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\system32\taskkill.exe
    taskkill /pid 1896 /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2316 --field-trial-handle=2292,i,2927097380497635931,2014459809064723663,262144 --variations-seed-version /prefetch:3
1⤵
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=2292,i,2927097380497635931,2014459809064723663,262144 --variations-seed-version /prefetch:8
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Temp\KbkkGJk0hIcrJktyOu9xhqY0FxCE8C\sensitive-files.zip

Filesize
5.9MB

MD5
75fced5a2c15aa4acf31d4dcf8682189

SHA1
930aaa348822194258695f1e6ba65fbfc07fb6bb

SHA256
c46ea746ffde4d624e80a563a936e36c3b42a198ffc889d9054bbe0b670af7b0

SHA512
d88e407f9b13d1b6fe14b43fdcaa08802ee12fd9a59154ca7d0c12ce6d3f12233ac8b2063c25aa8746511f8084621a73adca9aca10c6a71a98d44ef386143aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\KbkkGJk0hIcrJktyOu9xhqY0FxCE8C\user_info.txt

Filesize
574B

MD5
b68c02bc5b4a67f36ba2cb9ce9e35efc

SHA1
77379c29711337ec1f8de4167be7c8dd2d6ed194

SHA256
4a70f1ff21072e311ade35481f7b60bf18118b299ca10fa9252cf1af9a73d1ed

SHA512
738b2bc1cdeb116bdad389c88466b8c5e84d9cbd3bb411d0a3a38f6b66f63eddcde6c1bc68e93f534f360d24484f7d34f2c6d99b87c9d38b20bea07c7febf120

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u43uzxu0.fsy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/60-4-0x000001AEE42C0000-0x000001AEE42E2000-memory.dmp

Filesize
136KB

Download
memory/60-16-0x000001AEE3E40000-0x000001AEE3E50000-memory.dmp

Filesize
64KB

Download
memory/60-17-0x000001AEE3E40000-0x000001AEE3E50000-memory.dmp

Filesize
64KB

Download
memory/60-21-0x00007FFE6B330000-0x00007FFE6BDF1000-memory.dmp

Filesize
10.8MB

Download
memory/60-15-0x000001AEE3E40000-0x000001AEE3E50000-memory.dmp

Filesize
64KB

Download
memory/60-14-0x00007FFE6B330000-0x00007FFE6BDF1000-memory.dmp

Filesize
10.8MB

Download
memory/3428-0-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp

Filesize
5.3MB

Download
memory/3428-68-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp

Filesize
5.3MB

Download
memory/3428-71-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp

Filesize
5.3MB

Download
memory/3428-1-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing