Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 01:51
Behavioral task
behavioral1
Sample
5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
300 seconds
General
-
Target
5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.exe
-
Size
4.0MB
-
MD5
730943986dd5ea5044f18ae854e5f5fb
-
SHA1
762efb34221cef11f113b7451d9495a69f3f9a9a
-
SHA256
5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569
-
SHA512
d45d78e120e2ae937893a720d70801e0b545f439c12e7c917279d77ca4c58350ce9e74ce8cc9af84173ed1247b348d2794ec86c22006b45ae065989c52dfbba1
-
SSDEEP
98304:EZ4WM5IdwnJDd/4GHVwdI3y4vXaMixI5okN2MXqleNM76Lhj5M9f:EZ43OdwN9Qyise4ogq57Itm9
Malware Config
Signatures
-
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1980-54-0x0000000001350000-0x0000000002119000-memory.dmp family_ytstealer behavioral1/memory/1980-57-0x0000000001350000-0x0000000002119000-memory.dmp family_ytstealer -
Processes:
resource yara_rule behavioral1/memory/1980-54-0x0000000001350000-0x0000000002119000-memory.dmp upx behavioral1/memory/1980-57-0x0000000001350000-0x0000000002119000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1632 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.exepid process 1980 5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.exe 1980 5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.execmd.exedescription pid process target process PID 1980 wrote to memory of 1632 1980 5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.exe cmd.exe PID 1980 wrote to memory of 1632 1980 5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.exe cmd.exe PID 1980 wrote to memory of 1632 1980 5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.exe cmd.exe PID 1632 wrote to memory of 428 1632 cmd.exe choice.exe PID 1632 wrote to memory of 428 1632 cmd.exe choice.exe PID 1632 wrote to memory of 428 1632 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.exe"C:\Users\Admin\AppData\Local\Temp\5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\5e028e14942be8ef54ddc86cd528e28d203f85a16c0c0719ac0cd94ca51d0569.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵