Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 02:10
Behavioral task
behavioral1
Sample
94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
300 seconds
General
-
Target
94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.exe
-
Size
4.0MB
-
MD5
260218734f5630ff01b971e7e608173d
-
SHA1
6f6de1f5eec33c1ad763df5c2d7c2470d633ac8a
-
SHA256
94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967
-
SHA512
5923cd5e79beed2bb2f7b9164db71e1e2c4ba515136f23edb8d080ad34ff16bac26467a1db3442fe603c4d128110211e37375890eb2ef298537791d5291ab947
-
SSDEEP
98304:w/0ayWy0zgH6bA55Nwkug2dsL6xX7YsgsN18ZhNXdvYIXjFM3:wHy0zga+xuJdi6pwsL8ZhfgIXpM3
Malware Config
Signatures
-
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1764-54-0x0000000000170000-0x0000000000F49000-memory.dmp family_ytstealer behavioral1/memory/1764-57-0x0000000000170000-0x0000000000F49000-memory.dmp family_ytstealer -
Processes:
resource yara_rule behavioral1/memory/1764-54-0x0000000000170000-0x0000000000F49000-memory.dmp upx behavioral1/memory/1764-57-0x0000000000170000-0x0000000000F49000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.exepid process 1764 94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.exe 1764 94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.execmd.exedescription pid process target process PID 1764 wrote to memory of 1772 1764 94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.exe cmd.exe PID 1764 wrote to memory of 1772 1764 94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.exe cmd.exe PID 1764 wrote to memory of 1772 1764 94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.exe cmd.exe PID 1772 wrote to memory of 560 1772 cmd.exe choice.exe PID 1772 wrote to memory of 560 1772 cmd.exe choice.exe PID 1772 wrote to memory of 560 1772 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.exe"C:\Users\Admin\AppData\Local\Temp\94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\94c9afa6decdffd81c21cc057720fd0b9f63eb23324c28b0bfe1b79d2fbe8967.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵PID:560