bcce8e51552e7810d696f563d345db9d123dc3d15061bfdc8037e17cf8b15977

Analysis

max time kernel
70s
max time network
175s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
07/10/2022, 03:47

Target

bcce8e51552e7810d696f563d345db9d123dc3d15061bfdc8037e17cf8b15977.exe
Size

7.5MB
MD5

a94454236aa9ec0839399191875fdbf3
SHA1

1bde5be455f396f19917e381ce9050facc7c754c
SHA256

bcce8e51552e7810d696f563d345db9d123dc3d15061bfdc8037e17cf8b15977
SHA512

15d216fc37772d9049ef54dc926dbecf2a051192314b040ceb85d944affe463694caba2e9806e96b5cf7b637655fb4949de8d638023811a2e5dea46466691b8b
SSDEEP

49152:Odu5HFkKKs2rb/T4vO90d7HjmAFd4A64nsfJA+WETLSf4NxwKoGfTOcoG2p92uy+:Jkm7VKOOpEiEXkuzJ9AlE1xdWky

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 5016	1736	bcce8e51552e7810d696f563d345db9d123dc3d15061bfdc8037e17cf8b15977.exe	66
PID 1736 wrote to memory of 5016	1736	bcce8e51552e7810d696f563d345db9d123dc3d15061bfdc8037e17cf8b15977.exe	66

C:\Users\Admin\AppData\Local\Temp\bcce8e51552e7810d696f563d345db9d123dc3d15061bfdc8037e17cf8b15977.exe
"C:\Users\Admin\AppData\Local\Temp\bcce8e51552e7810d696f563d345db9d123dc3d15061bfdc8037e17cf8b15977.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\system32\cmd.exe
  cmd.exe /c "del C:\Users\Admin\AppData\Local\Temp\bcce8e51552e7810d696f563d345db9d123dc3d15061bfdc8037e17cf8b15977.exe"
  2⤵
  PID:5016

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact