Analysis
-
max time kernel
251s -
max time network
305s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:44
Static task
static1
Behavioral task
behavioral1
Sample
c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe
Resource
win7-20221111-en
General
-
Target
c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe
-
Size
932KB
-
MD5
4a08d146a79c5313dd96b788a776339d
-
SHA1
a69db8af1e70100142dc3d1c5cdc190f5bb85f7b
-
SHA256
c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf
-
SHA512
cfbce459cdb07d5192ed3f8bc4585331d20f01485e99c087d166b0e739091cafbcbc4b67efd6e6f9bdf42501fa948e418f513ca5b31cd9773b241427166e28d8
-
SSDEEP
24576:h1OYdaO6CZ/iWCvu/2sWsJA/jlt+DHhst:h1OsECpYO/dJJDHhst
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ypTTw5O9bpiTbhU.exepid process 2980 ypTTw5O9bpiTbhU.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
ypTTw5O9bpiTbhU.exepid process 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe 2980 ypTTw5O9bpiTbhU.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ypTTw5O9bpiTbhU.exedescription pid process Token: SeDebugPrivilege 2980 ypTTw5O9bpiTbhU.exe Token: SeDebugPrivilege 2980 ypTTw5O9bpiTbhU.exe Token: SeDebugPrivilege 2980 ypTTw5O9bpiTbhU.exe Token: SeDebugPrivilege 2980 ypTTw5O9bpiTbhU.exe Token: SeDebugPrivilege 2980 ypTTw5O9bpiTbhU.exe Token: SeDebugPrivilege 2980 ypTTw5O9bpiTbhU.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exedescription pid process target process PID 2300 wrote to memory of 2980 2300 c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe ypTTw5O9bpiTbhU.exe PID 2300 wrote to memory of 2980 2300 c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe ypTTw5O9bpiTbhU.exe PID 2300 wrote to memory of 2980 2300 c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe ypTTw5O9bpiTbhU.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe"C:\Users\Admin\AppData\Local\Temp\c1a68e5503d5369499e01a75b2523ce48994a5b087cd5aea36df0175c14a61cf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\ypTTw5O9bpiTbhU.exe.\ypTTw5O9bpiTbhU.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\hkkgddckohccdagmplnkknakkeokljhg\background.htmlFilesize
144B
MD55db56d86fe437cb3ec95b8ae3030df23
SHA141b2348ddc0457bf640870f9196d1d4566965ed7
SHA25678f403794743858c1c3697574a6b25a566dd7639f1f9391599430bb0fc04f4e5
SHA5128c89f9d0793b25e3c9722d124c47577471cdf1cbf7bdb4240278ba5f2feb1134ecef68e05573a3f4acc0cb0b836953ccc4a27d864c1fce8ee3d636b35c07b530
-
C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\hkkgddckohccdagmplnkknakkeokljhg\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\ypTTw5O9bpiTbhU.datFilesize
1KB
MD525e8862691433e169572bd2e66086d9b
SHA1df6a98865a700fc85c83cc5443398172b64531ef
SHA2566dc9d05d719ca019cbce5dd56f42bca1f00167427667bb9fdf69651509cc0f5a
SHA512f786e7181ba76a782339d020a980751b3f78c446efdf13b39eccf046011e5c48f51d2efaf2bc3ac7fc942ab0ec05998c6ea991b30b3846be050c851eff9c8ac2
-
C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\ypTTw5O9bpiTbhU.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
C:\Users\Admin\AppData\Local\Temp\7zSF21B.tmp\ypTTw5O9bpiTbhU.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
memory/2980-132-0x0000000000000000-mapping.dmp