04710be5ee1f33f7e6e752588ed57894f48e62e2f9161f1385ebcfd65987920e

Analysis

Target

Документы 29.07.2019.exe
Size

196KB
MD5

f2403ac020b62308e185b8aabc9006ae
SHA1

bfcfc605155649aa6458f64017b9305888a8264f
SHA256

bf5d3d55d30106e2d6c520eb7d43727f98c7e438257650908e7434ed99c590bb
SHA512

392db48c2c418533ab2989e38a1c9f0b3b9a7898c9f29f014dd2120eedaa6f21259ff96615fc4d246e76ed315d514a7e59c1d5385dea59a58889b25b7511396d

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Документы 29.07.2019.exe

description	pid	process	target process
PID 3336 wrote to memory of 904	3336	Документы 29.07.2019.exe	Документы 29.07.2019.exe
PID 3336 wrote to memory of 904	3336	Документы 29.07.2019.exe	Документы 29.07.2019.exe
PID 3336 wrote to memory of 904	3336	Документы 29.07.2019.exe	Документы 29.07.2019.exe

C:\Users\Admin\AppData\Local\Temp\Документы 29.07.2019.exe
"C:\Users\Admin\AppData\Local\Temp\Документы 29.07.2019.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3336

C:\Users\Admin\AppData\Local\Temp\Документы 29.07.2019.exe
"C:\Users\Admin\AppData\Local\Temp\Документы 29.07.2019.exe" dfsr
2⤵
PID:904

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/904-132-0x0000000000000000-mapping.dmp

Download
memory/3336-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download