Analysis
-
max time kernel
5s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 22:36
Static task
static1
Behavioral task
behavioral1
Sample
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
Resource
win7v20201028
General
-
Target
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
-
Size
324KB
-
MD5
bda20d0177640d129ace7394841fe5c0
-
SHA1
3c8c531a28901ce5f3a6eb9b5ac1c353bfc73f87
-
SHA256
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7
-
SHA512
bfaedf705c5bdb3b8b4aa63b18a20e9336ee77999e3637f3677f3aa1623270e5b9dbb62bcd1d1b338979c391cb38d4b127544120804ac42e1c515b0776d02e9e
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exepid process 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exepid process 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exedescription pid process Token: SeDebugPrivilege 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe"C:\Users\Admin\AppData\Local\Temp\f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\10d99b49-052f-4ada-adab-4c003fc333e5\AgileDotNetRT.dllMD5
edd74be9723cdc6a5692954f0e51c9f3
SHA1e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA25655ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA51280abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3
-
memory/372-59-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/372-62-0x0000000074D20000-0x0000000074DA0000-memory.dmpFilesize
512KB
-
memory/372-63-0x0000000004290000-0x0000000004291000-memory.dmpFilesize
4KB
-
memory/372-64-0x0000000004295000-0x00000000042A6000-memory.dmpFilesize
68KB
-
memory/372-65-0x00000000042A6000-0x00000000042A7000-memory.dmpFilesize
4KB
-
memory/372-66-0x00000000042A7000-0x00000000042A8000-memory.dmpFilesize
4KB