Analysis
-
max time kernel
106s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 04:18
Static task
static1
Behavioral task
behavioral1
Sample
17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
Resource
win7-20220901-en
General
-
Target
17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
-
Size
3.0MB
-
MD5
7ec8ecb42a68d7064babb5bee18c8251
-
SHA1
70f81f6cd550981bf97665f19730c0cf696022c1
-
SHA256
17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355
-
SHA512
85429f2dc6bdcc558910b30118741f1c401f7a33557dc5c8ab3e56969d22ab9840506c916f83c8af48b722d6f26c848c166bfa21d6ba8fe4f0bbb2ad7d26bdf5
-
SSDEEP
49152:jggTws/XWGgeLB45FkmCMYghoFfSbqgG23TSPfxWw8zJFtpWvgi/CmpVyR96S:cU/XPByFDNhoFfSbqgGEGPfx1cdu/l
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exepid process 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exepid process 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exedescription pid process Token: SeDebugPrivilege 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exedescription pid process target process PID 1324 wrote to memory of 1352 1324 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe PID 1324 wrote to memory of 1352 1324 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe PID 1324 wrote to memory of 1352 1324 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe PID 1324 wrote to memory of 1352 1324 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe PID 1352 wrote to memory of 1756 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe cmd.exe PID 1352 wrote to memory of 1756 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe cmd.exe PID 1352 wrote to memory of 1756 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe cmd.exe PID 1352 wrote to memory of 1756 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe"C:\Users\Admin\AppData\Local\Temp\17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe"C:\Users\Admin\AppData\Local\Temp\17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe C:\SystemVolume\Program\3⤵PID:1756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD524a624cfac7d2982c8e3a653a3babe8a
SHA1444cd7c84b74667c920c879dc8d2fb7b4d702aa8
SHA256195374f37ff4271fbd2f4def5305d30af703633e542fe6f7636b173de197d8af
SHA5125fb7232b4708b89cd1b5cba5124836f6f5ac7c6dbab3be66feddceb38f346032783c618c20b247b572598340c55e7146f384d157c0ed35e85d0e15ea3493326e
-
Filesize
40KB
MD5b7c3e334648a6cbb03b550b842818409
SHA1767be295f1e4adedf0e10532f9c1b7908d17383a
SHA256f0781a1b879584f494d984e31869eab13f0535825f68862e6597b1639df708bd
SHA51243ee04452b685022bfdbaca5b3603d4c0e406599b8da70c6a25fa2c4ac5543ada4521eba9bbf0ca86a2a4775ce474ab89da7d27f842d63df62048a1b7ca431d1
-
Filesize
704KB
MD527a7a40b2b83578e0c3bffb5a167d67a
SHA1d20a7d3308990ce04839569b66f8639d6ed55848
SHA256ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4
SHA5127b97690b9ab68562ca85ce0ffc56ae517f8fafe44caff846d66bb4c2003aa6d1b0b321d9ea4526c4652b5152ec46dc600671f427957e6e847ba75ced0d09acef
-
Filesize
2.3MB
MD5676fc65e4a49a525df0ecde3596f3ae5
SHA1e125975958b08207be081e94ca1674fec0bcec98
SHA256c9192fe69d7eef69b1e27e630ae643dcb0838b7bc0ac43e69a979f5a726256c1
SHA5123a4dde17cbe3eb60c5ce6f3bc58c24769835c9fcef091df5883b47e058516b15be2dc28a49e3a360ee3e5da8e4c6845cbcfc05e0042ae2d592efc13778a23c42
-
Filesize
35KB
MD524a624cfac7d2982c8e3a653a3babe8a
SHA1444cd7c84b74667c920c879dc8d2fb7b4d702aa8
SHA256195374f37ff4271fbd2f4def5305d30af703633e542fe6f7636b173de197d8af
SHA5125fb7232b4708b89cd1b5cba5124836f6f5ac7c6dbab3be66feddceb38f346032783c618c20b247b572598340c55e7146f384d157c0ed35e85d0e15ea3493326e
-
Filesize
40KB
MD5b7c3e334648a6cbb03b550b842818409
SHA1767be295f1e4adedf0e10532f9c1b7908d17383a
SHA256f0781a1b879584f494d984e31869eab13f0535825f68862e6597b1639df708bd
SHA51243ee04452b685022bfdbaca5b3603d4c0e406599b8da70c6a25fa2c4ac5543ada4521eba9bbf0ca86a2a4775ce474ab89da7d27f842d63df62048a1b7ca431d1
-
Filesize
704KB
MD527a7a40b2b83578e0c3bffb5a167d67a
SHA1d20a7d3308990ce04839569b66f8639d6ed55848
SHA256ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4
SHA5127b97690b9ab68562ca85ce0ffc56ae517f8fafe44caff846d66bb4c2003aa6d1b0b321d9ea4526c4652b5152ec46dc600671f427957e6e847ba75ced0d09acef
-
Filesize
2.3MB
MD5676fc65e4a49a525df0ecde3596f3ae5
SHA1e125975958b08207be081e94ca1674fec0bcec98
SHA256c9192fe69d7eef69b1e27e630ae643dcb0838b7bc0ac43e69a979f5a726256c1
SHA5123a4dde17cbe3eb60c5ce6f3bc58c24769835c9fcef091df5883b47e058516b15be2dc28a49e3a360ee3e5da8e4c6845cbcfc05e0042ae2d592efc13778a23c42