Analysis
-
max time kernel
198s -
max time network
216s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 20:17
Static task
static1
Behavioral task
behavioral1
Sample
73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
Resource
win10v2004-20220414-en
General
-
Target
73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
-
Size
5.6MB
-
MD5
850994426304c5a78d585c0e378c6160
-
SHA1
ffde6d0419876c305b8d50d89e0375a0e87a7da4
-
SHA256
73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7
-
SHA512
40fd58f86ea63fc9a587f9e8907628f2cfcb5322b532249e9a4685b1efd2e3ab064d217f94dabc720500864904ebdf42b96358a410cf345f7a2f61547e9e57ac
Malware Config
Signatures
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exedescription pid process target process PID 2052 set thread context of 3556 2052 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exepid process 3556 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 3556 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exedescription pid process target process PID 2052 wrote to memory of 3556 2052 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe PID 2052 wrote to memory of 3556 2052 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe PID 2052 wrote to memory of 3556 2052 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe PID 2052 wrote to memory of 3556 2052 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe PID 2052 wrote to memory of 3556 2052 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe PID 2052 wrote to memory of 3556 2052 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe PID 2052 wrote to memory of 3556 2052 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe PID 2052 wrote to memory of 3556 2052 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe PID 2052 wrote to memory of 3556 2052 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe PID 2052 wrote to memory of 3556 2052 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe 73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe"C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe"C:\Users\Admin\AppData\Local\Temp\73771687cc99119179751de6ff92b29350a75c0b8cd53074cab5ce7edae001f7.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2052-130-0x0000000000160000-0x0000000000700000-memory.dmpFilesize
5.6MB
-
memory/2052-131-0x0000000004F10000-0x0000000004FAC000-memory.dmpFilesize
624KB
-
memory/2052-132-0x00000000089E0000-0x0000000008F84000-memory.dmpFilesize
5.6MB
-
memory/2052-133-0x00000000084D0000-0x0000000008562000-memory.dmpFilesize
584KB
-
memory/2052-134-0x0000000008450000-0x000000000845A000-memory.dmpFilesize
40KB
-
memory/3556-135-0x0000000000000000-mapping.dmp
-
memory/3556-136-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/3556-137-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/3556-138-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/3556-139-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/3556-140-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB