553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144

Analysis

Target

AFE.tmp.exe
Size

378KB
MD5

98d0976214fb5720a6b2c23ba035b741
SHA1

1eb4da1f7de4ca6718d75c6ac713b6324948ad6c
SHA256

553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144
SHA512

4a1bf187b5483d70925cb1ae91090f2abde87ecd115d298f01e0c9c0b9bf428c53b3db6c6173aaf4b96cc345b093cd95cf2641894dc7b1edfdc2689ef6582925

Score

7^/10

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

632 timeout.exe

pid	process
632	timeout.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AFE.tmp.execmd.exe

description	pid	process	target process
PID 1456 wrote to memory of 1052	1456	AFE.tmp.exe	cmd.exe
PID 1456 wrote to memory of 1052	1456	AFE.tmp.exe	cmd.exe
PID 1456 wrote to memory of 1052	1456	AFE.tmp.exe	cmd.exe
PID 1052 wrote to memory of 632	1052	cmd.exe	timeout.exe
PID 1052 wrote to memory of 632	1052	cmd.exe	timeout.exe
PID 1052 wrote to memory of 632	1052	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\AFE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\AFE.tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\cmd.exe
  /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\AFE.tmp.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:632

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/632-5-0x0000000000000000-mapping.dmp

Download
memory/1052-4-0x0000000000000000-mapping.dmp

Download
memory/1456-2-0x00000000076A0000-0x000000000CB1C000-memory.dmp

Filesize
84.5MB

Download
memory/1456-3-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download