Analysis
-
max time kernel
73s -
max time network
186s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
30-08-2022 02:04
Behavioral task
behavioral1
Sample
80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
300 seconds
General
-
Target
80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe
-
Size
4.0MB
-
MD5
bb9bdd70279f3323c34a42ec301cded6
-
SHA1
12967ba3af210c3032a241a01354e30c9464ff71
-
SHA256
80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31
-
SHA512
6fdb933d66b5f29559372fb240124660e6692c081a59682202b1a72a5885f24ac16422bef2ed42827777c6d190650cfd245c615e306be700393dde73b85afc53
-
SSDEEP
49152:yWtH6EVy6gHmDVWfyWnlY0DWjNkkvY9Ewrx+HQ4Mxj2X+VewkFzXohdsBT41Xt/B:yWKmhBWs9w9TIw5xy+Ve1FzYbsBs
Malware Config
Signatures
-
YTStealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2664-118-0x0000000001370000-0x0000000002149000-memory.dmp family_ytstealer -
Processes:
resource yara_rule behavioral2/memory/2664-115-0x0000000001370000-0x0000000002149000-memory.dmp upx behavioral2/memory/2664-118-0x0000000001370000-0x0000000002149000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exepid process 2664 80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe 2664 80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe 2664 80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe 2664 80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.execmd.exedescription pid process target process PID 2664 wrote to memory of 2068 2664 80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe cmd.exe PID 2664 wrote to memory of 2068 2664 80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe cmd.exe PID 2068 wrote to memory of 3880 2068 cmd.exe choice.exe PID 2068 wrote to memory of 3880 2068 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe"C:\Users\Admin\AppData\Local\Temp\80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\80cc0a0a4fec7476f0453e741822757124a41e7096675003c1c0e20c9e471a31.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵