6da01e9b96e29532b858e780d8eb7a6d05b047a32df790f1e215fc41fc35e370

Analysis

max time kernel
44s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-09-2022 17:58

Target

5689.exe
Size

164KB
MD5

6e114af8b74b128698c1bdc0e72269df
SHA1

61fc8325cc47e6f2a784fa1c92afe03723a14e70
SHA256

6da01e9b96e29532b858e780d8eb7a6d05b047a32df790f1e215fc41fc35e370
SHA512

39457ea934e475582407a8f03e2b0e543beb405ea20e2301acc7b1ce99c2efb104bff26601db1ded632108cec5d0c49715bc471e9c193ae9b2baebafffd36ca1
SSDEEP

3072:5/QcZxIKug+6ALQC2mC5Z9wVi3Gl9i+I6/AkfLZhej/V9u/D:5/TLugjbKfi+I+tL

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 304	1088	5689.exe	28
PID 1088 wrote to memory of 304	1088	5689.exe	28
PID 1088 wrote to memory of 304	1088	5689.exe	28
PID 1088 wrote to memory of 304	1088	5689.exe	28

C:\Users\Admin\AppData\Local\Temp\5689.exe
"C:\Users\Admin\AppData\Local\Temp\5689.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:304

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact