c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf

Analysis

max time kernel
251s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe
Size

932KB
MD5

4a08d146a79c5313dd96b788a776339d
SHA1

a69db8af1e70100142dc3d1c5cdc190f5bb85f7b
SHA256

c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf
SHA512

cfbce459cdb07d5192ed3f8bc4585331d20f01485e99c087d166b0e739091cafbcbc4b67efd6e6f9bdf42501fa948e418f513ca5b31cd9773b241427166e28d8
SSDEEP

24576:h1OYdaO6CZ/iWCvu/2sWsJA/jlt+DHhst:h1OsECpYO/dJJDHhst

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ypTTw5O9bpiTbhU.exe

pid process

2980 ypTTw5O9bpiTbhU.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

ypTTw5O9bpiTbhU.exe

pid	process
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe
2980	ypTTw5O9bpiTbhU.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ypTTw5O9bpiTbhU.exe

description	pid	process
Token: SeDebugPrivilege	2980	ypTTw5O9bpiTbhU.exe
Token: SeDebugPrivilege	2980	ypTTw5O9bpiTbhU.exe
Token: SeDebugPrivilege	2980	ypTTw5O9bpiTbhU.exe
Token: SeDebugPrivilege	2980	ypTTw5O9bpiTbhU.exe
Token: SeDebugPrivilege	2980	ypTTw5O9bpiTbhU.exe
Token: SeDebugPrivilege	2980	ypTTw5O9bpiTbhU.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe

description	pid	process	target process
PID 2300 wrote to memory of 2980	2300	c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe	ypTTw5O9bpiTbhU.exe
PID 2300 wrote to memory of 2980	2300	c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe	ypTTw5O9bpiTbhU.exe
PID 2300 wrote to memory of 2980	2300	c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe	ypTTw5O9bpiTbhU.exe

C:\Users\Admin\AppData\Local\Temp\c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe
"C:\Users\Admin\AppData\Local\Temp\c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\ypTTw5O9bpiTbhU.exe
.\ypTTw5O9bpiTbhU.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\hkkgddckohccdagmplnkknakkeokljhg\background.html
Filesize
144B

MD5
5db56d86fe437cb3ec95b8ae3030df23

SHA1
41b2348ddc0457bf640870f9196d1d4566965ed7

SHA256
78f403794743858c1c3697574a6b25a566dd7639f1f9391599430bb0fc04f4e5

SHA512
8c89f9d0793b25e3c9722d124c47577471cdf1cbf7bdb4240278ba5f2feb1134ecef68e05573a3f4acc0cb0b836953ccc4a27d864c1fce8ee3d636b35c07b530

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\hkkgddckohccdagmplnkknakkeokljhg\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\ypTTw5O9bpiTbhU.dat
Filesize
1KB

MD5
25e8862691433e169572bd2e66086d9b

SHA1
df6a98865a700fc85c83cc5443398172b64531ef

SHA256
6dc9d05d719ca019cbce5dd56f42bca1f00167427667bb9fdf69651509cc0f5a

SHA512
f786e7181ba76a782339d020a980751b3f78c446efdf13b39eccf046011e5c48f51d2efaf2bc3ac7fc942ab0ec05998c6ea991b30b3846be050c851eff9c8ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\ypTTw5O9bpiTbhU.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\ypTTw5O9bpiTbhU.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/2980-132-0x0000000000000000-mapping.dmp

Download