Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 22:51
Behavioral task
behavioral1
Sample
04_extracted.exe
Resource
win7v20210408
General
-
Target
04_extracted.exe
-
Size
456KB
-
MD5
58dc1cfd317058134777f77f86f62592
-
SHA1
22f19ee32e81d180be5c4e824d359456df811293
-
SHA256
12a0e61c40e9664cd768c55b50d204e038067e9dfa34c04d0170426565eb2d2c
-
SHA512
0d6984b84336c189eb590ae870b5a50ca81f3d90a7fe97ffdbfab9569b841711475054d6c1ea6e592ad9ae45e14ff70efcfd7c10effb865843a5e79b9a4be0c2
Malware Config
Signatures
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/188-115-0x0000000000476274-mapping.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/188-115-0x0000000000476274-mapping.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
04_extracted.exedescription pid process target process PID 4016 set thread context of 188 4016 04_extracted.exe 04_extracted.exe PID 4016 set thread context of 3272 4016 04_extracted.exe 04_extracted.exe PID 4016 set thread context of 1080 4016 04_extracted.exe 04_extracted.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
04_extracted.exe04_extracted.exepid process 3272 04_extracted.exe 3272 04_extracted.exe 188 04_extracted.exe 188 04_extracted.exe 188 04_extracted.exe 188 04_extracted.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04_extracted.exedescription pid process Token: SeDebugPrivilege 3272 04_extracted.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
04_extracted.exepid process 4016 04_extracted.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
04_extracted.exedescription pid process target process PID 4016 wrote to memory of 188 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 188 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 188 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 188 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 188 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 188 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 188 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 3272 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 3272 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 3272 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 3272 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 3272 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 3272 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 3272 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 1080 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 1080 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 1080 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 1080 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 1080 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 1080 4016 04_extracted.exe 04_extracted.exe PID 4016 wrote to memory of 1080 4016 04_extracted.exe 04_extracted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04_extracted.exe"C:\Users\Admin\AppData\Local\Temp\04_extracted.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\04_extracted.exeC:\Users\Admin\AppData\Local\Temp\04_extracted.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppbdq"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\04_extracted.exeC:\Users\Admin\AppData\Local\Temp\04_extracted.exe /stext "C:\Users\Admin\AppData\Local\Temp\aronqxkq"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\04_extracted.exeC:\Users\Admin\AppData\Local\Temp\04_extracted.exe /stext "C:\Users\Admin\AppData\Local\Temp\kmtgrqujpcn"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ppbdqMD5
93d9547e2f6b166ddc13b0f852378d78
SHA19c252ab52886c3e59e832b316bade26fe3473c74
SHA2560e2229e3ecc706a74a1048c7e395644542a880183d9f6809260410d618dbed1d
SHA51281711df6173b9020a004eabd398e4c1f0c092c42ab6888db122dfe2e582c04826025972f06867d207de7f4cb4d15d57afa219aebcbb9c966961696dca93d3298
-
memory/188-114-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/188-115-0x0000000000476274-mapping.dmp
-
memory/188-122-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1080-118-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1080-119-0x0000000000455238-mapping.dmp
-
memory/1080-121-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/3272-116-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3272-117-0x0000000000422206-mapping.dmp
-
memory/3272-120-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB