Analysis
-
max time kernel
263s -
max time network
321s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:43
Static task
static1
Behavioral task
behavioral1
Sample
c20624bce48c4b0f9ed8cff8d51fcd3017ae53e42eef682dcfbe8f63ff8fbfad.exe
Resource
win7-20221111-en
General
-
Target
c20624bce48c4b0f9ed8cff8d51fcd3017ae53e42eef682dcfbe8f63ff8fbfad.exe
-
Size
919KB
-
MD5
fd6c91c19dd5565ddf9223e74dfbebff
-
SHA1
0c2f84b59115b08930a74d545958ae972f12e3f8
-
SHA256
c20624bce48c4b0f9ed8cff8d51fcd3017ae53e42eef682dcfbe8f63ff8fbfad
-
SHA512
5030b5f7223f16dc90ccf3a0ebc6f21075a86b55fdefddcef9abf7b4d6cdbe1e133a004ab28fb24026b18379be46b127aac4b3049593ab88d1d72184ee0ee310
-
SSDEEP
24576:h1OYdaOLMtdHAqcdDVhYwiei7+EpFAh/kKy:h1OsCPHVmVhYwiLtKkKy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
hhECqWZ1G9fJxhr.exepid process 5044 hhECqWZ1G9fJxhr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
hhECqWZ1G9fJxhr.exepid process 5044 hhECqWZ1G9fJxhr.exe 5044 hhECqWZ1G9fJxhr.exe 5044 hhECqWZ1G9fJxhr.exe 5044 hhECqWZ1G9fJxhr.exe 5044 hhECqWZ1G9fJxhr.exe 5044 hhECqWZ1G9fJxhr.exe 5044 hhECqWZ1G9fJxhr.exe 5044 hhECqWZ1G9fJxhr.exe 5044 hhECqWZ1G9fJxhr.exe 5044 hhECqWZ1G9fJxhr.exe 5044 hhECqWZ1G9fJxhr.exe 5044 hhECqWZ1G9fJxhr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
hhECqWZ1G9fJxhr.exedescription pid process Token: SeDebugPrivilege 5044 hhECqWZ1G9fJxhr.exe Token: SeDebugPrivilege 5044 hhECqWZ1G9fJxhr.exe Token: SeDebugPrivilege 5044 hhECqWZ1G9fJxhr.exe Token: SeDebugPrivilege 5044 hhECqWZ1G9fJxhr.exe Token: SeDebugPrivilege 5044 hhECqWZ1G9fJxhr.exe Token: SeDebugPrivilege 5044 hhECqWZ1G9fJxhr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c20624bce48c4b0f9ed8cff8d51fcd3017ae53e42eef682dcfbe8f63ff8fbfad.exedescription pid process target process PID 2124 wrote to memory of 5044 2124 c20624bce48c4b0f9ed8cff8d51fcd3017ae53e42eef682dcfbe8f63ff8fbfad.exe hhECqWZ1G9fJxhr.exe PID 2124 wrote to memory of 5044 2124 c20624bce48c4b0f9ed8cff8d51fcd3017ae53e42eef682dcfbe8f63ff8fbfad.exe hhECqWZ1G9fJxhr.exe PID 2124 wrote to memory of 5044 2124 c20624bce48c4b0f9ed8cff8d51fcd3017ae53e42eef682dcfbe8f63ff8fbfad.exe hhECqWZ1G9fJxhr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c20624bce48c4b0f9ed8cff8d51fcd3017ae53e42eef682dcfbe8f63ff8fbfad.exe"C:\Users\Admin\AppData\Local\Temp\c20624bce48c4b0f9ed8cff8d51fcd3017ae53e42eef682dcfbe8f63ff8fbfad.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC7BB.tmp\hhECqWZ1G9fJxhr.exe.\hhECqWZ1G9fJxhr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSC7BB.tmp\hhECqWZ1G9fJxhr.datFilesize
1KB
MD5b1e0649773830d4dc46b471ed226b3ee
SHA156cfc01f1261737a1209ebc6e8ac6ae9b60966a0
SHA256ebe919bfdb79715cbc070f1d4cb0d8aaff134917711baed78fff898582b2e086
SHA51229520d30a42850188a17182cd41613596ea231bab2f4f9bbe6f8ea35ca4a8999a71726cf8e0032872fbac3a3fc19944430b6c4facc8cfdc4356aff40ed295b6a
-
C:\Users\Admin\AppData\Local\Temp\7zSC7BB.tmp\hhECqWZ1G9fJxhr.exeFilesize
760KB
MD5dcd148f6f3af3e3b0935c4fcc9f41811
SHA1ee9bdbc7c568c7832d90b85921ab20030b6734cd
SHA256f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4
SHA51234be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886
-
C:\Users\Admin\AppData\Local\Temp\7zSC7BB.tmp\hhECqWZ1G9fJxhr.exeFilesize
760KB
MD5dcd148f6f3af3e3b0935c4fcc9f41811
SHA1ee9bdbc7c568c7832d90b85921ab20030b6734cd
SHA256f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4
SHA51234be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886
-
memory/5044-132-0x0000000000000000-mapping.dmp