bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 22:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe
Size

576KB
MD5

00a06f0c2a867561581510c00628b446
SHA1

04092738bf0ac9127cb0d86d5ff23e49e7f55201
SHA256

bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c
SHA512

b6bb57e74c6e196a7154d9ef768bcd52af5dee7afcaecc5cc319b297c55c2f454d1e298517c7546a074e50a026399b8ea545883507eff88999774df8de9ec0b6
SSDEEP

12288:OhXB8Vumq6QAO0F2uGPQDStCzFjyAH48UwP6hkMvUie7uXiB5NkTYayKXm+h2w9j:OCVTnGmr5RNu6Crhs

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 948	1896	bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe	27

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 948	1896	bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe	27
PID 1896 wrote to memory of 948	1896	bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe	27
PID 1896 wrote to memory of 948	1896	bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe	27
PID 1896 wrote to memory of 948	1896	bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe	27
PID 1896 wrote to memory of 948	1896	bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe	27
PID 1896 wrote to memory of 948	1896	bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe	27
PID 1896 wrote to memory of 948	1896	bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe	27
PID 1896 wrote to memory of 948	1896	bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe	27
PID 1896 wrote to memory of 948	1896	bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe	27
PID 1896 wrote to memory of 948	1896	bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe	27

C:\Users\Admin\AppData\Local\Temp\bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe
"C:\Users\Admin\AppData\Local\Temp\bf9ac5211bc1ea0ccc69a382adf0b7a3185c7da8a5446fc3bfa5ed0dff9e511c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-56-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-55-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-58-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-60-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-62-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-63-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-67-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-69-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-70-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1896-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1896-68-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download