Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 02:12
Behavioral task
behavioral1
Sample
9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.exe
Resource
win7-20220812-en
6 signatures
300 seconds
General
-
Target
9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.exe
-
Size
4.0MB
-
MD5
be6a47ee98b4111475dbd98d3d27be88
-
SHA1
815761391418f0a61430b7b6a05d43c11647badd
-
SHA256
9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec
-
SHA512
f6eab86f83595d100bf48f55d8b683dc3b04fd2232c7cf07f40cd0e6fef0a255ab12416a17ce3db976680478e430f55b478933a567dda0c2cdd9a164686409a5
-
SSDEEP
98304:UCT3m/u18FLDmG+ul5cd130f9hTAF1GsXpwMwg1BxCThtih:NTm/LLSd1Ef9h6DXpw7uh
Malware Config
Signatures
-
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/736-54-0x0000000000F00000-0x0000000001CD9000-memory.dmp family_ytstealer behavioral1/memory/736-57-0x0000000000F00000-0x0000000001CD9000-memory.dmp family_ytstealer -
Processes:
resource yara_rule behavioral1/memory/736-54-0x0000000000F00000-0x0000000001CD9000-memory.dmp upx behavioral1/memory/736-57-0x0000000000F00000-0x0000000001CD9000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.exepid process 736 9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.exe 736 9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.execmd.exedescription pid process target process PID 736 wrote to memory of 1612 736 9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.exe cmd.exe PID 736 wrote to memory of 1612 736 9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.exe cmd.exe PID 736 wrote to memory of 1612 736 9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.exe cmd.exe PID 1612 wrote to memory of 1712 1612 cmd.exe choice.exe PID 1612 wrote to memory of 1712 1612 cmd.exe choice.exe PID 1612 wrote to memory of 1712 1612 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.exe"C:\Users\Admin\AppData\Local\Temp\9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\9df7176c20f48bc55b85306b49984ce616c6632b3afdcb68e93512f2633b53ec.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵PID:1712