Analysis
-
max time kernel
133s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-03-2021 13:18
Static task
static1
Behavioral task
behavioral1
Sample
69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe
Resource
win7v20201028
General
-
Target
69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe
-
Size
2.4MB
-
MD5
e2ff2b8181e08ad9638e802775cac4a6
-
SHA1
2f4a054b49bd2550ae927f85e02292277e9f24b9
-
SHA256
69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0
-
SHA512
00515c0c873edee75118f5be067a954743924307d7be87a2787f2044d4783561ea96ae4fdf12983e8dbe6dd473c5961f44af3d6b3882ad6b4acc8c22c014d544
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1596-3-0x0000000000FD0000-0x0000000000FD1000-memory.dmp vmprotect -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org 10 ip-api.com -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exepid process 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exedescription pid process Token: SeDebugPrivilege 1596 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe"C:\Users\Admin\AppData\Local\Temp\69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1596-2-0x000007FEF5990000-0x000007FEF637C000-memory.dmpFilesize
9.9MB
-
memory/1596-3-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/1596-5-0x000000001ACB0000-0x000000001ACB2000-memory.dmpFilesize
8KB
-
memory/1596-6-0x0000000000520000-0x0000000000591000-memory.dmpFilesize
452KB
-
memory/1596-7-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB