1079dd8ba84a643ff8c2dacaf485948b375971c882411a68671a0cacb7330570

Analysis

max time kernel
145s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 15:47

Target

run.ps1
Size

116B
MD5

a7ace018fd3f518bc419f7e211609e01
SHA1

deaed741f50f27d7a60a34b83cef84f905e0569f
SHA256

01fda517b82e9a91c0269977ce1bf177850811b2861b399d2fb4a5e45095cfc6
SHA512

7920e3c2fd54f821b44b778512bd031cfb2ffddd5ba36f89f0b04650ad610eb6ff0cf506111bc81328ca0746f3472506649fe9d48b1c26401cdd771f423c7b51

Score

7^/10

spyware stealer

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4904 powershell.exe
4904 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4904 powershell.exe

pid	process
4904	powershell.exe
4904	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4904	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

powershell.exeRUNDLL32.EXE

description	pid	process	target process
PID 4904 wrote to memory of 4864	4904	powershell.exe	RUNDLL32.EXE
PID 4904 wrote to memory of 4864	4904	powershell.exe	RUNDLL32.EXE
PID 4864 wrote to memory of 2244	4864	RUNDLL32.EXE	rundll32.exe
PID 4864 wrote to memory of 2244	4864	RUNDLL32.EXE	rundll32.exe
PID 4864 wrote to memory of 2244	4864	RUNDLL32.EXE	rundll32.exe

C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" C:\Users\Admin\AppData\Local\Temp\x.dll,s
2⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\RUNDLL32.EXE" C:\Users\Admin\AppData\Local\Temp\x.dll,s
3⤵
PID:2244

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/2244-134-0x0000000000000000-mapping.dmp

Download
memory/4864-133-0x0000000000000000-mapping.dmp

Download
memory/4904-132-0x000001CA1BB70000-0x000001CA1BB92000-memory.dmp

Filesize
136KB

Download
memory/4904-135-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

Filesize
10.8MB

Download