7zS850A099E.zip

General
Target

7zS850A099E/61e7501b7eabe_Tue2344597f.exe

Filesize

527KB

Completed

19-01-2022 08:14

Score
7/10
MD5

8e0bc14c20fd607593967f164bbf08b5

SHA1

f68dc21b6352302d36cb1953ac0065e30d1ca6b0

SHA256

af8fbb1b23a21d1be75abcbb8d7c8447ec0c3b309fcfb407a91576a06070dcfe

Malware Config
Signatures 7

Filter: none

Collection
Credential Access
Discovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of SetThreadContext
    61e7501b7eabe_Tue2344597f.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1672 set thread context of 732167261e7501b7eabe_Tue2344597f.exe61e7501b7eabe_Tue2344597f.exe
  • Suspicious behavior: EnumeratesProcesses
    61e7501b7eabe_Tue2344597f.exe

    Reported IOCs

    pidprocess
    73261e7501b7eabe_Tue2344597f.exe
  • Suspicious use of AdjustPrivilegeToken
    61e7501b7eabe_Tue2344597f.exe61e7501b7eabe_Tue2344597f.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege167261e7501b7eabe_Tue2344597f.exe
    Token: SeDebugPrivilege73261e7501b7eabe_Tue2344597f.exe
  • Suspicious use of WriteProcessMemory
    61e7501b7eabe_Tue2344597f.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1672 wrote to memory of 732167261e7501b7eabe_Tue2344597f.exe61e7501b7eabe_Tue2344597f.exe
    PID 1672 wrote to memory of 732167261e7501b7eabe_Tue2344597f.exe61e7501b7eabe_Tue2344597f.exe
    PID 1672 wrote to memory of 732167261e7501b7eabe_Tue2344597f.exe61e7501b7eabe_Tue2344597f.exe
    PID 1672 wrote to memory of 732167261e7501b7eabe_Tue2344597f.exe61e7501b7eabe_Tue2344597f.exe
    PID 1672 wrote to memory of 732167261e7501b7eabe_Tue2344597f.exe61e7501b7eabe_Tue2344597f.exe
    PID 1672 wrote to memory of 732167261e7501b7eabe_Tue2344597f.exe61e7501b7eabe_Tue2344597f.exe
    PID 1672 wrote to memory of 732167261e7501b7eabe_Tue2344597f.exe61e7501b7eabe_Tue2344597f.exe
    PID 1672 wrote to memory of 732167261e7501b7eabe_Tue2344597f.exe61e7501b7eabe_Tue2344597f.exe
    PID 1672 wrote to memory of 732167261e7501b7eabe_Tue2344597f.exe61e7501b7eabe_Tue2344597f.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
      C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:732
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
      Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • memory/732-61-0x0000000000400000-0x0000000000420000-memory.dmp

                      Download

                    • memory/732-62-0x0000000000400000-0x0000000000420000-memory.dmp

                      Download

                    • memory/732-63-0x0000000000400000-0x0000000000420000-memory.dmp

                      Download

                    • memory/732-64-0x0000000000400000-0x0000000000420000-memory.dmp

                      Download

                    • memory/732-59-0x0000000000400000-0x0000000000420000-memory.dmp

                      Download

                    • memory/732-60-0x0000000000400000-0x0000000000420000-memory.dmp

                      Download

                    • memory/732-65-0x00000000020A0000-0x00000000020A1000-memory.dmp

                      Download

                    • memory/1672-55-0x0000000000A70000-0x0000000000AFA000-memory.dmp

                      Download

                    • memory/1672-57-0x0000000000360000-0x0000000000361000-memory.dmp

                      Download

                    • memory/1672-56-0x00000000004D0000-0x0000000000577000-memory.dmp

                      Download

                    • memory/1672-58-0x0000000075F81000-0x0000000075F83000-memory.dmp

                      Download