Analysis
-
max time kernel
148s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:51
Static task
static1
Behavioral task
behavioral1
Sample
800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
Resource
win7-20220812-en
General
-
Target
800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
-
Size
184KB
-
MD5
9d24c5085948664b6646aa53668697ba
-
SHA1
f90ae6424cc532804fc1c58637b5f77781bc68ec
-
SHA256
800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a
-
SHA512
7a8d0429e1e93eed853a736c3961e1860227e4601c70b62b56aafbe087d6ae878eac58567985f11e8e495b268559313e9e850a4247430bdd2ac81a23c4fe3097
-
SSDEEP
3072:wSVXqlrzCAIxhUWi4SMy6yFuLmV/VhkYhaTe/TY6tMfLpWpOo:ToIUWi/MvyaqrsTKG0Oo
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exepid process 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.execmd.exedescription pid process target process PID 5088 wrote to memory of 3124 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe cmd.exe PID 5088 wrote to memory of 3124 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe cmd.exe PID 5088 wrote to memory of 3124 5088 800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe cmd.exe PID 3124 wrote to memory of 4292 3124 cmd.exe attrib.exe PID 3124 wrote to memory of 4292 3124 cmd.exe attrib.exe PID 3124 wrote to memory of 4292 3124 cmd.exe attrib.exe PID 3124 wrote to memory of 4240 3124 cmd.exe attrib.exe PID 3124 wrote to memory of 4240 3124 cmd.exe attrib.exe PID 3124 wrote to memory of 4240 3124 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4240 attrib.exe 4292 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe"C:\Users\Admin\AppData\Local\Temp\800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\TKBLMJ~1.DEF\crashes\events\A45ETM~1.BAT2⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe"3⤵
- Views/modifies file attributes
PID:4292 -
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tkblmjt0.default-release\crashes\events\A45E.tmp.bat"3⤵
- Views/modifies file attributes
PID:4240
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\TKBLMJ~1.DEF\crashes\events\A45E.tmp.batFilesize
630B
MD5f978336c69a0e0f4067579ca5c8497b6
SHA1882a15c5ec784ec999216e371f3d56c31b7a23d2
SHA25611db65d21b5e865a95b74d89ac736314362173f4f5884bd46d3c7f0b08607955
SHA5128af2d42ab8bd9e3d90ec7416870b1ef4c5bff2da5df111a5c436876e20e61ddcaa2470a85a87efa5570b7a9364e9f751f22c3c5da6665a32fe6f83d418f367a3
-
memory/3124-138-0x0000000000000000-mapping.dmp
-
memory/4240-142-0x0000000000000000-mapping.dmp
-
memory/4292-141-0x0000000000000000-mapping.dmp
-
memory/5088-132-0x00000000021C0000-0x0000000002202000-memory.dmpFilesize
264KB
-
memory/5088-135-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/5088-136-0x00000000021C0000-0x0000000002202000-memory.dmpFilesize
264KB
-
memory/5088-137-0x00000000021C0000-0x0000000002202000-memory.dmpFilesize
264KB
-
memory/5088-139-0x00000000021C0000-0x0000000002202000-memory.dmpFilesize
264KB