d56742d377a636a7ced6a503d0ff26e429bde79bb431a26c0ec63f51cf418fba

Analysis

Target

2192cfe9de1e5450629e508ec785055d.exe
Size

30KB
MD5

2192cfe9de1e5450629e508ec785055d
SHA1

881be66666b9a3c302a56c364c8d9e230ae3854d
SHA256

d56742d377a636a7ced6a503d0ff26e429bde79bb431a26c0ec63f51cf418fba
SHA512

cb1a1c98f6f25fe5cc07ea6ed747c860452267d44682ddaab3ac12b915afef4624713dc55f63dbb928da2974d6482edf289358b43f543a448983b6efce676dbb

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2192cfe9de1e5450629e508ec785055d.exe

description	pid	process
Token: SeDebugPrivilege	772	2192cfe9de1e5450629e508ec785055d.exe
Token: 33	772	2192cfe9de1e5450629e508ec785055d.exe
Token: SeIncBasePriorityPrivilege	772	2192cfe9de1e5450629e508ec785055d.exe

C:\Users\Admin\AppData\Local\Temp\2192cfe9de1e5450629e508ec785055d.exe
"C:\Users\Admin\AppData\Local\Temp\2192cfe9de1e5450629e508ec785055d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:772

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/772-114-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/772-116-0x000000001ADE0000-0x000000001ADE2000-memory.dmp

Filesize
8KB

Download
memory/772-117-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/772-118-0x0000000000590000-0x0000000000594000-memory.dmp

Filesize
16KB

Download
memory/772-119-0x000000001B2F0000-0x000000001B381000-memory.dmp

Filesize
580KB

Download
memory/772-120-0x000000001B490000-0x000000001B51F000-memory.dmp

Filesize
572KB

Download