Analysis
-
max time kernel
10s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-06-2022 23:51
Static task
static1
Behavioral task
behavioral1
Sample
11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe
Resource
win7-20220414-en
General
-
Target
11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe
-
Size
220KB
-
MD5
70a7c04e563624c30971d8d5ee19f72e
-
SHA1
d8dd38dcb1efa7922329568fc41cae8915bad17d
-
SHA256
11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9
-
SHA512
fd16e46561ecbf4abc563915ea594c53413002eff259aa6b403194aa9f21cb460ad5bad2643b6010420cc333f6f59ef1baa63056334bf3c31e858685f0c9bd4d
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 844 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.execmd.exedescription pid process target process PID 2036 wrote to memory of 844 2036 11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe cmd.exe PID 2036 wrote to memory of 844 2036 11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe cmd.exe PID 2036 wrote to memory of 844 2036 11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe cmd.exe PID 2036 wrote to memory of 844 2036 11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe cmd.exe PID 844 wrote to memory of 2044 844 cmd.exe attrib.exe PID 844 wrote to memory of 2044 844 cmd.exe attrib.exe PID 844 wrote to memory of 2044 844 cmd.exe attrib.exe PID 844 wrote to memory of 2044 844 cmd.exe attrib.exe PID 844 wrote to memory of 1288 844 cmd.exe attrib.exe PID 844 wrote to memory of 1288 844 cmd.exe attrib.exe PID 844 wrote to memory of 1288 844 cmd.exe attrib.exe PID 844 wrote to memory of 1288 844 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2044 attrib.exe 1288 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe"C:\Users\Admin\AppData\Local\Temp\11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Adobe\FLASHP~1\6B23TM~1.BAT2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\6B23.tmp.bat"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\FLASHP~1\6B23.tmp.batFilesize
538B
MD52dadcbd62903a1815acda106039fa71c
SHA1c25d2a23bb106fe1920e9b60de5e8b571549a5ff
SHA2563048b23621c5ffb705ed676dfb39e3f3c68eb60c6befa63908d005c9192fdd72
SHA5128d804c7ca9418c783a3d33b569d5b360e88b74902b40f42a16ebe8b521d83c89622eee8336c048d8c64485ea06fd42e1cd7f11c9b2570588a2d2cc1c2800bfb5
-
memory/844-55-0x0000000000000000-mapping.dmp
-
memory/1288-59-0x0000000000000000-mapping.dmp
-
memory/2036-54-0x0000000076461000-0x0000000076463000-memory.dmpFilesize
8KB
-
memory/2036-56-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2044-58-0x0000000000000000-mapping.dmp