Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 01:56
Behavioral task
behavioral1
Sample
6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.exe
Resource
win7-20220812-en
6 signatures
300 seconds
General
-
Target
6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.exe
-
Size
4.0MB
-
MD5
1a2a40d7b4da9d7d63bed8ca312c0e5b
-
SHA1
f88167a46e6451842046150b3d22fee125d0f409
-
SHA256
6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c
-
SHA512
32930088e7e213d5a3da0c5b9d452faa461fb17642e2ec369ccaf9a055bc2c362f18af4cd1286718349f0c900941d3536acfa2a837d09c4b01d75ba1e8333958
-
SSDEEP
49152:k8tFZBAwgaj8VOtlJEyig0O/HPVe98W/u7luCSX+jVav9sqbpemO8FKX+i5m6qs1:nFPgajoqlF0OPPVTWLL+jY1PQv8V1Hl
Malware Config
Signatures
-
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/896-54-0x0000000000C60000-0x0000000001A38000-memory.dmp family_ytstealer behavioral1/memory/896-57-0x0000000000C60000-0x0000000001A38000-memory.dmp family_ytstealer -
Processes:
resource yara_rule behavioral1/memory/896-54-0x0000000000C60000-0x0000000001A38000-memory.dmp upx behavioral1/memory/896-57-0x0000000000C60000-0x0000000001A38000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.exepid process 896 6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.exe 896 6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.execmd.exedescription pid process target process PID 896 wrote to memory of 968 896 6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.exe cmd.exe PID 896 wrote to memory of 968 896 6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.exe cmd.exe PID 896 wrote to memory of 968 896 6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.exe cmd.exe PID 968 wrote to memory of 1564 968 cmd.exe choice.exe PID 968 wrote to memory of 1564 968 cmd.exe choice.exe PID 968 wrote to memory of 1564 968 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.exe"C:\Users\Admin\AppData\Local\Temp\6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\6c7f88e55c57084e53170b71776508a57ebc129349a82a264c0981b299749b9c.exe2⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵PID:1564