Overview

overview

7

Static

static

11d0eae323...b9.exe

windows7_x64

7

11d0eae323...b9.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    10s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    03-06-2022 23:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe

  • Size

    220KB

  • MD5

    70a7c04e563624c30971d8d5ee19f72e

  • SHA1

    d8dd38dcb1efa7922329568fc41cae8915bad17d

  • SHA256

    11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9

  • SHA512

    fd16e46561ecbf4abc563915ea594c53413002eff259aa6b403194aa9f21cb460ad5bad2643b6010420cc333f6f59ef1baa63056334bf3c31e858685f0c9bd4d

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe
    "C:\Users\Admin\AppData\Local\Temp\11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Adobe\FLASHP~1\6B23TM~1.BAT
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\SysWOW64\attrib.exe
        attrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe"
        3⤵
        • Views/modifies file attributes
        PID:2044
      • C:\Windows\SysWOW64\attrib.exe
        attrib -R -S -H "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\6B23.tmp.bat"
        3⤵
        • Views/modifies file attributes
        PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\FLASHP~1\6B23.tmp.bat
    Filesize

    538B

    MD5

    2dadcbd62903a1815acda106039fa71c

    SHA1

    c25d2a23bb106fe1920e9b60de5e8b571549a5ff

    SHA256

    3048b23621c5ffb705ed676dfb39e3f3c68eb60c6befa63908d005c9192fdd72

    SHA512

    8d804c7ca9418c783a3d33b569d5b360e88b74902b40f42a16ebe8b521d83c89622eee8336c048d8c64485ea06fd42e1cd7f11c9b2570588a2d2cc1c2800bfb5

    Download Submit
  • memory/844-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1288-59-0x0000000000000000-mapping.dmp
    Download
  • memory/2036-54-0x0000000076461000-0x0000000076463000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-56-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2044-58-0x0000000000000000-mapping.dmp
    Download