Analysis
-
max time kernel
130s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 23:51
Static task
static1
Behavioral task
behavioral1
Sample
11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe
Resource
win7-20220414-en
General
-
Target
11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe
-
Size
220KB
-
MD5
70a7c04e563624c30971d8d5ee19f72e
-
SHA1
d8dd38dcb1efa7922329568fc41cae8915bad17d
-
SHA256
11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9
-
SHA512
fd16e46561ecbf4abc563915ea594c53413002eff259aa6b403194aa9f21cb460ad5bad2643b6010420cc333f6f59ef1baa63056334bf3c31e858685f0c9bd4d
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.execmd.exedescription pid process target process PID 1440 wrote to memory of 3488 1440 11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe cmd.exe PID 1440 wrote to memory of 3488 1440 11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe cmd.exe PID 1440 wrote to memory of 3488 1440 11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe cmd.exe PID 3488 wrote to memory of 4808 3488 cmd.exe attrib.exe PID 3488 wrote to memory of 4808 3488 cmd.exe attrib.exe PID 3488 wrote to memory of 4808 3488 cmd.exe attrib.exe PID 3488 wrote to memory of 4740 3488 cmd.exe attrib.exe PID 3488 wrote to memory of 4740 3488 cmd.exe attrib.exe PID 3488 wrote to memory of 4740 3488 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4740 attrib.exe 4808 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe"C:\Users\Admin\AppData\Local\Temp\11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\Office\C3D2TM~1.BAT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\11d0eae323a754b6904feed1b88b0e170b7887385218bb7d8eafad68c794dab9.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Microsoft\Office\C3D2.tmp.bat"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Office\C3D2.tmp.batFilesize
534B
MD5f6e2a1af8bbed2a3a3b62552949422fa
SHA16ca4026ed679b89f7d970592f39688c01789531b
SHA2560407a374c2b598143b95a352602e2066967512384f5b795b89af590714d57b09
SHA5126330e136db53280248f6847680dc791f6a48411012831b60a9b6a62c850f2a474329119fd383e841a0c8b6dc3f591ca045dbc478e270fef3390972580fe87e1d
-
memory/1440-130-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1440-132-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3488-131-0x0000000000000000-mapping.dmp
-
memory/4740-135-0x0000000000000000-mapping.dmp
-
memory/4808-134-0x0000000000000000-mapping.dmp