Analysis
-
max time kernel
155s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
28-02-2022 03:17
Static task
static1
Behavioral task
behavioral1
Sample
56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
-
Size
697KB
-
MD5
a31cb445d3131bf567720c43f2a74484
-
SHA1
29e763a59424f9bb147df11a7b2ebfe9373a451f
-
SHA256
56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256
-
SHA512
ca8d1c63ababcb662922d4e91c3f599579ce324881ca4ce6effe942b91037012fc959060eab730d62b07330c17bd4ac49458b52c224c5e615ee55ae469ae0ae0
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exedescription ioc Process File opened (read-only) \??\b: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\e: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\g: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\k: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\n: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\p: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\q: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\a: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\v: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\l: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\m: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\i: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\j: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\t: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\u: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\w: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\y: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\f: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\o: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\r: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\s: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\x: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\z: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe File opened (read-only) \??\h: 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1988-132-0x0000000002810000-0x00000000028ED000-memory.dmp autoit_exe behavioral2/memory/1988-133-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exedescription pid Process procid_target PID 1988 wrote to memory of 2376 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 61 PID 1988 wrote to memory of 2376 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 61 PID 1988 wrote to memory of 2376 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 61 PID 1988 wrote to memory of 3316 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 72 PID 1988 wrote to memory of 3316 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 72 PID 1988 wrote to memory of 3316 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 72 PID 1988 wrote to memory of 2464 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 74 PID 1988 wrote to memory of 2464 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 74 PID 1988 wrote to memory of 2464 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 74 PID 1988 wrote to memory of 3132 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 76 PID 1988 wrote to memory of 3132 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 76 PID 1988 wrote to memory of 3132 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 76 PID 1988 wrote to memory of 4000 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 78 PID 1988 wrote to memory of 4000 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 78 PID 1988 wrote to memory of 4000 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 78 PID 1988 wrote to memory of 3668 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 80 PID 1988 wrote to memory of 3668 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 80 PID 1988 wrote to memory of 3668 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 80 PID 1988 wrote to memory of 3536 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 82 PID 1988 wrote to memory of 3536 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 82 PID 1988 wrote to memory of 3536 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 82 PID 1988 wrote to memory of 216 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 84 PID 1988 wrote to memory of 216 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 84 PID 1988 wrote to memory of 216 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 84 PID 1988 wrote to memory of 2508 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 86 PID 1988 wrote to memory of 2508 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 86 PID 1988 wrote to memory of 2508 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 86 PID 1988 wrote to memory of 2560 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 88 PID 1988 wrote to memory of 2560 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 88 PID 1988 wrote to memory of 2560 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 88 PID 1988 wrote to memory of 2376 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 90 PID 1988 wrote to memory of 2376 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 90 PID 1988 wrote to memory of 2376 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 90 PID 1988 wrote to memory of 1848 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 92 PID 1988 wrote to memory of 1848 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 92 PID 1988 wrote to memory of 1848 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 92 PID 1988 wrote to memory of 3864 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 94 PID 1988 wrote to memory of 3864 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 94 PID 1988 wrote to memory of 3864 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 94 PID 1988 wrote to memory of 3568 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 96 PID 1988 wrote to memory of 3568 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 96 PID 1988 wrote to memory of 3568 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 96 PID 1988 wrote to memory of 2820 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 98 PID 1988 wrote to memory of 2820 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 98 PID 1988 wrote to memory of 2820 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 98 PID 1988 wrote to memory of 3540 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 100 PID 1988 wrote to memory of 3540 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 100 PID 1988 wrote to memory of 3540 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 100 PID 1988 wrote to memory of 460 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 102 PID 1988 wrote to memory of 460 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 102 PID 1988 wrote to memory of 460 1988 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe"C:\Users\Admin\AppData\Local\Temp\56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A2⤵PID:2376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A2⤵PID:3316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A2⤵PID:2464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A2⤵PID:3132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A2⤵PID:4000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A2⤵PID:3668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A2⤵PID:3536
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A2⤵PID:216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A2⤵PID:2508
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A2⤵PID:2560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A2⤵PID:2376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A2⤵PID:1848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A2⤵PID:3864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A2⤵PID:3568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A2⤵PID:2820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A2⤵PID:3540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A2⤵PID:460
-