Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 02:04
Behavioral task
behavioral1
Sample
80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
300 seconds
General
-
Target
80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe
-
Size
4.0MB
-
MD5
bb9bdd70279f3323c34a42ec301cded6
-
SHA1
12967ba3af210c3032a241a01354e30c9464ff71
-
SHA256
80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31
-
SHA512
6fdb933d66b5f29559372fb240124660e6692c081a59682202b1a72a5885f24ac16422bef2ed42827777c6d190650cfd245c615e306be700393dde73b85afc53
-
SSDEEP
49152:yWtH6EVy6gHmDVWfyWnlY0DWjNkkvY9Ewrx+HQ4Mxj2X+VewkFzXohdsBT41Xt/B:yWKmhBWs9w9TIw5xy+Ve1FzYbsBs
Malware Config
Signatures
-
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1660-54-0x0000000000CD0000-0x0000000001AA9000-memory.dmp family_ytstealer behavioral1/memory/1660-57-0x0000000000CD0000-0x0000000001AA9000-memory.dmp family_ytstealer -
Processes:
resource yara_rule behavioral1/memory/1660-54-0x0000000000CD0000-0x0000000001AA9000-memory.dmp upx behavioral1/memory/1660-57-0x0000000000CD0000-0x0000000001AA9000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exepid process 1660 80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe 1660 80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.execmd.exedescription pid process target process PID 1660 wrote to memory of 1868 1660 80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe cmd.exe PID 1660 wrote to memory of 1868 1660 80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe cmd.exe PID 1660 wrote to memory of 1868 1660 80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe cmd.exe PID 1868 wrote to memory of 1996 1868 cmd.exe choice.exe PID 1868 wrote to memory of 1996 1868 cmd.exe choice.exe PID 1868 wrote to memory of 1996 1868 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe"C:\Users\Admin\AppData\Local\Temp\80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵