2295742285186ecb7ff7c4634d31bdc8.exe

General
Target

2295742285186ecb7ff7c4634d31bdc8.exe

Filesize

1MB

Completed

08-04-2021 07:33

Score
7 /10
MD5

2295742285186ecb7ff7c4634d31bdc8

SHA1

f76643300796393b1e616f7e2d925644faae5caf

SHA256

0cd1346813ea66e5ecb353180f0f01d9b2e53b230ccb5aece10e4366d632df25

Malware Config
Signatures 7

Filter: none

Collection
Credential Access
Discovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of SetThreadContext
    2295742285186ecb7ff7c4634d31bdc8.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3248 set thread context of 368432482295742285186ecb7ff7c4634d31bdc8.exe2295742285186ecb7ff7c4634d31bdc8.exe
  • Suspicious behavior: EnumeratesProcesses
    2295742285186ecb7ff7c4634d31bdc8.exe

    Reported IOCs

    pidprocess
    36842295742285186ecb7ff7c4634d31bdc8.exe
  • Suspicious use of AdjustPrivilegeToken
    2295742285186ecb7ff7c4634d31bdc8.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege36842295742285186ecb7ff7c4634d31bdc8.exe
  • Suspicious use of WriteProcessMemory
    2295742285186ecb7ff7c4634d31bdc8.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3248 wrote to memory of 368432482295742285186ecb7ff7c4634d31bdc8.exe2295742285186ecb7ff7c4634d31bdc8.exe
    PID 3248 wrote to memory of 368432482295742285186ecb7ff7c4634d31bdc8.exe2295742285186ecb7ff7c4634d31bdc8.exe
    PID 3248 wrote to memory of 368432482295742285186ecb7ff7c4634d31bdc8.exe2295742285186ecb7ff7c4634d31bdc8.exe
    PID 3248 wrote to memory of 368432482295742285186ecb7ff7c4634d31bdc8.exe2295742285186ecb7ff7c4634d31bdc8.exe
    PID 3248 wrote to memory of 368432482295742285186ecb7ff7c4634d31bdc8.exe2295742285186ecb7ff7c4634d31bdc8.exe
    PID 3248 wrote to memory of 368432482295742285186ecb7ff7c4634d31bdc8.exe2295742285186ecb7ff7c4634d31bdc8.exe
    PID 3248 wrote to memory of 368432482295742285186ecb7ff7c4634d31bdc8.exe2295742285186ecb7ff7c4634d31bdc8.exe
    PID 3248 wrote to memory of 368432482295742285186ecb7ff7c4634d31bdc8.exe2295742285186ecb7ff7c4634d31bdc8.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\2295742285186ecb7ff7c4634d31bdc8.exe
    "C:\Users\Admin\AppData\Local\Temp\2295742285186ecb7ff7c4634d31bdc8.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Users\Admin\AppData\Local\Temp\2295742285186ecb7ff7c4634d31bdc8.exe
      "{path}"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3684
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2295742285186ecb7ff7c4634d31bdc8.exe.log

                      MD5

                      0c2899d7c6746f42d5bbe088c777f94c

                      SHA1

                      622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

                      SHA256

                      5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

                      SHA512

                      ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

                    • memory/3248-2-0x0000000073840000-0x0000000073F2E000-memory.dmp

                    • memory/3248-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

                    • memory/3248-5-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

                    • memory/3248-6-0x0000000005690000-0x0000000005691000-memory.dmp

                    • memory/3248-8-0x0000000005780000-0x0000000005781000-memory.dmp

                    • memory/3248-9-0x00000000079C0000-0x00000000079C5000-memory.dmp

                    • memory/3248-10-0x0000000007A70000-0x0000000007A71000-memory.dmp

                    • memory/3248-11-0x0000000007D60000-0x0000000007E03000-memory.dmp

                    • memory/3248-12-0x00000000079F0000-0x0000000007A46000-memory.dmp

                    • memory/3248-7-0x00000000058B0000-0x00000000058B1000-memory.dmp

                    • memory/3684-14-0x000000000041653A-mapping.dmp

                    • memory/3684-13-0x0000000000400000-0x000000000041C000-memory.dmp

                    • memory/3684-16-0x0000000073840000-0x0000000073F2E000-memory.dmp

                    • memory/3684-19-0x0000000005570000-0x0000000005571000-memory.dmp

                    • memory/3684-20-0x0000000004F90000-0x0000000004F91000-memory.dmp

                    • memory/3684-21-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

                    • memory/3684-22-0x00000000051D0000-0x00000000051D1000-memory.dmp

                    • memory/3684-23-0x0000000005030000-0x0000000005031000-memory.dmp

                    • memory/3684-24-0x00000000052F0000-0x00000000052F1000-memory.dmp

                    • memory/3684-27-0x0000000006D10000-0x0000000006D11000-memory.dmp

                    • memory/3684-28-0x0000000007410000-0x0000000007411000-memory.dmp

                    • memory/3684-29-0x0000000006B40000-0x0000000006B41000-memory.dmp