286f4f8d0bc1b2645d25f1d0718a30323403e4f26dea4c5dbc70f43a0d33a0c0

Analysis

max time kernel
141s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 22:33

Target

Maya Password Stealer/Editor.exe
Size

459KB
MD5

e323ed667ef3563092dce07d984518ce
SHA1

2c56b1a587dd43aa5e09950919a1510d8b05f4fc
SHA256

2f46ac733fdcc19be847e7008260c34bcb3a31cbc82299409d95d524bd0d5fc5
SHA512

b96017def08318f65ad08d75ab48c90eb637e2944f56d7c843c85f9bc7dfaa4ce7505954d2c55abdf33cd1f50cf57aed2476d36a0dc624606ed19061c54de207
SSDEEP

6144:l9TyWfXiIk6hXalydeocepqj6d48tbeldKCiI9hnCtMVobP+RKp6NVc3rsVIOptT:C20kaMwNeg6y8tb1/viiss6ji4VCmew

Score

7^/10

upx

Executes dropped EXE 1 IoCs

Processes:

Editormgr.exe

pid process

972 Editormgr.exe

pid	process
972	Editormgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/3860-0-0x0000000000400000-0x0000000000558000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editormgr.exe	upx
behavioral2/memory/972-5-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/972-12-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/3860-13-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1160 972 WerFault.exe Editormgr.exe

pid	pid_target	process	target process
1160	972	WerFault.exe	Editormgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Editor.exe

description	pid	process	target process
PID 3860 wrote to memory of 972	3860	Editor.exe	Editormgr.exe
PID 3860 wrote to memory of 972	3860	Editor.exe	Editormgr.exe
PID 3860 wrote to memory of 972	3860	Editor.exe	Editormgr.exe

C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editor.exe
"C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editormgr.exe
"C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editormgr.exe"
2⤵
- Executes dropped EXE
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 264
3⤵
- Program crash
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 972 -ip 972
1⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editormgr.exe
Filesize
105KB

MD5
9b49fec7e03c33277f188a2819b8d726

SHA1
a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f

SHA256
9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad

SHA512
049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d

Download Submit
memory/972-5-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/972-6-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/972-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3860-0-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/3860-7-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3860-13-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/3860-15-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download