Analysis
-
max time kernel
101s -
max time network
103s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-04-2021 11:53
Static task
static1
Behavioral task
behavioral1
Sample
AFE.tmp.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
AFE.tmp.exe
-
Size
378KB
-
MD5
98d0976214fb5720a6b2c23ba035b741
-
SHA1
1eb4da1f7de4ca6718d75c6ac713b6324948ad6c
-
SHA256
553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144
-
SHA512
4a1bf187b5483d70925cb1ae91090f2abde87ecd115d298f01e0c9c0b9bf428c53b3db6c6173aaf4b96cc345b093cd95cf2641894dc7b1edfdc2689ef6582925
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
pid Process 632 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1456 wrote to memory of 1052 1456 AFE.tmp.exe 79 PID 1456 wrote to memory of 1052 1456 AFE.tmp.exe 79 PID 1456 wrote to memory of 1052 1456 AFE.tmp.exe 79 PID 1052 wrote to memory of 632 1052 cmd.exe 81 PID 1052 wrote to memory of 632 1052 cmd.exe 81 PID 1052 wrote to memory of 632 1052 cmd.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\AFE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\AFE.tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\AFE.tmp.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:632
-
-