Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    13-05-2021 12:55

General

  • Target

    204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

  • Size

    3.9MB

  • MD5

    bca6b95784be22950d3c68f7c021418b

  • SHA1

    a80dbf95d96ab9402e644eb1e271a9431bbc7b53

  • SHA256

    204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed

  • SHA512

    00db30ff69cb35c301b4a4d52778414e4e176ef183da1da587df63069706cfa0c62d72fa4e010c05241bc25e182c6e5183a40d7e61a2e15924d875068e533f08

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
    "C:\Users\Admin\AppData\Local\Temp\204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1348-61-0x00000000762C1000-0x00000000762C3000-memory.dmp
    Filesize

    8KB