4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea

Analysis

max time kernel
147s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 14:22

Target

4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exe
Size

1.2MB
MD5

dcd51751f7a0ebada8e19cd863f44646
SHA1

e22e825ce8c912b6b5c8e537141d1db3f437c51c
SHA256

4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea
SHA512

5c915d3c36da50c60338681f33ea7a88fad71e8d7e2c36e77d79a5faac5007704bd450cec0b2f51faadc1e3dd727f7076ca424cfdce6ee2334ede8be5ea9c906
SSDEEP

24576:8hX1/2MGli3IsmlbgjIfJlsYTgW7bTEy7y+ROr6gv1x3lluP6YhxGb:8hF/oi3Nmpgc8Y3TEiBO2qDAc

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Runs net.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exenet.exe

description	pid	process	target process
PID 1372 wrote to memory of 1692	1372	4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exe	cmd.exe
PID 1372 wrote to memory of 1692	1372	4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exe	cmd.exe
PID 1372 wrote to memory of 1692	1372	4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exe	cmd.exe
PID 1372 wrote to memory of 1692	1372	4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exe	cmd.exe
PID 1372 wrote to memory of 1448	1372	4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exe	net.exe
PID 1372 wrote to memory of 1448	1372	4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exe	net.exe
PID 1372 wrote to memory of 1448	1372	4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exe	net.exe
PID 1372 wrote to memory of 1448	1372	4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exe	net.exe
PID 1448 wrote to memory of 996	1448	net.exe	net1.exe
PID 1448 wrote to memory of 996	1448	net.exe	net1.exe
PID 1448 wrote to memory of 996	1448	net.exe	net1.exe
PID 1448 wrote to memory of 996	1448	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exe
"C:\Users\Admin\AppData\Local\Temp\4cc88d5d865cf9c417ab7b0cd32d11d9d7a35d4c80849e42c1ca35bacd5567ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EMBUTIR1.exe /stext C:\Users\Admin\AppData\Local\Temp\\senha.txt"
2⤵
PID:1692

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
3⤵
PID:996

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/996-57-0x0000000000000000-mapping.dmp

Download
memory/1372-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1448-56-0x0000000000000000-mapping.dmp

Download
memory/1692-55-0x0000000000000000-mapping.dmp

Download