Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 01:52
Behavioral task
behavioral1
Sample
64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
300 seconds
General
-
Target
64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.exe
-
Size
4.0MB
-
MD5
5ae7651ea4d4221046045d69d537984f
-
SHA1
64b4329e0bc794d8c331b2f96cba02bce814aaaf
-
SHA256
64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1
-
SHA512
ad672743a12c516966d15b9d9152f87a88eef1565c626100b0cdbefd3bdde551c67cc440e338cf1f7d4a6c291ba91ef733e62afb84dde6b14b48aa882ed54872
-
SSDEEP
98304:mOeGUVkiefAtxFrgD/wzmAFeRIGrj+yixxoU:mQbin3r6HRIuD6
Malware Config
Signatures
-
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1884-54-0x0000000000FF0000-0x0000000001DC8000-memory.dmp family_ytstealer behavioral1/memory/1884-57-0x0000000000FF0000-0x0000000001DC8000-memory.dmp family_ytstealer -
Processes:
resource yara_rule behavioral1/memory/1884-54-0x0000000000FF0000-0x0000000001DC8000-memory.dmp upx behavioral1/memory/1884-57-0x0000000000FF0000-0x0000000001DC8000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.exepid process 1884 64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.exe 1884 64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.execmd.exedescription pid process target process PID 1884 wrote to memory of 772 1884 64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.exe cmd.exe PID 1884 wrote to memory of 772 1884 64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.exe cmd.exe PID 1884 wrote to memory of 772 1884 64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.exe cmd.exe PID 772 wrote to memory of 1572 772 cmd.exe choice.exe PID 772 wrote to memory of 1572 772 cmd.exe choice.exe PID 772 wrote to memory of 1572 772 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.exe"C:\Users\Admin\AppData\Local\Temp\64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\64e7fd5ac3683bf3f6dd0e8af328bacde30f7b715a487de9cfb774082c54c6e1.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵