Analysis
-
max time kernel
296s -
max time network
276s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 21:05
Static task
static1
Behavioral task
behavioral1
Sample
a8ab2358f2260e52a78ff8cf40a30c96d5fe72b9da0cd3f3859d7d77645fae85.exe
Resource
win7-20220901-en
General
-
Target
a8ab2358f2260e52a78ff8cf40a30c96d5fe72b9da0cd3f3859d7d77645fae85.exe
-
Size
920KB
-
MD5
17da1c87f7200efcb6279021956e15e4
-
SHA1
bdaa690f5f1371c0c70219003429f10205fb732f
-
SHA256
a8ab2358f2260e52a78ff8cf40a30c96d5fe72b9da0cd3f3859d7d77645fae85
-
SHA512
759ecd272b0046a5c0f280018e86083bda7c58e0492dd164283e565a8eff82c706ae10e939be9ae95aaf76f44961ec84da10f8efbc885092e31632ad24ec1fd7
-
SSDEEP
24576:h1OYdaObMtdHAqcdDVhYwiei7+EpFAh/kKW:h1OsSPHVmVhYwiLtKkKW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
EDlGIqo4bS5o1eV.exepid process 1000 EDlGIqo4bS5o1eV.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
EDlGIqo4bS5o1eV.exepid process 1000 EDlGIqo4bS5o1eV.exe 1000 EDlGIqo4bS5o1eV.exe 1000 EDlGIqo4bS5o1eV.exe 1000 EDlGIqo4bS5o1eV.exe 1000 EDlGIqo4bS5o1eV.exe 1000 EDlGIqo4bS5o1eV.exe 1000 EDlGIqo4bS5o1eV.exe 1000 EDlGIqo4bS5o1eV.exe 1000 EDlGIqo4bS5o1eV.exe 1000 EDlGIqo4bS5o1eV.exe 1000 EDlGIqo4bS5o1eV.exe 1000 EDlGIqo4bS5o1eV.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
EDlGIqo4bS5o1eV.exedescription pid process Token: SeDebugPrivilege 1000 EDlGIqo4bS5o1eV.exe Token: SeDebugPrivilege 1000 EDlGIqo4bS5o1eV.exe Token: SeDebugPrivilege 1000 EDlGIqo4bS5o1eV.exe Token: SeDebugPrivilege 1000 EDlGIqo4bS5o1eV.exe Token: SeDebugPrivilege 1000 EDlGIqo4bS5o1eV.exe Token: SeDebugPrivilege 1000 EDlGIqo4bS5o1eV.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a8ab2358f2260e52a78ff8cf40a30c96d5fe72b9da0cd3f3859d7d77645fae85.exedescription pid process target process PID 960 wrote to memory of 1000 960 a8ab2358f2260e52a78ff8cf40a30c96d5fe72b9da0cd3f3859d7d77645fae85.exe EDlGIqo4bS5o1eV.exe PID 960 wrote to memory of 1000 960 a8ab2358f2260e52a78ff8cf40a30c96d5fe72b9da0cd3f3859d7d77645fae85.exe EDlGIqo4bS5o1eV.exe PID 960 wrote to memory of 1000 960 a8ab2358f2260e52a78ff8cf40a30c96d5fe72b9da0cd3f3859d7d77645fae85.exe EDlGIqo4bS5o1eV.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8ab2358f2260e52a78ff8cf40a30c96d5fe72b9da0cd3f3859d7d77645fae85.exe"C:\Users\Admin\AppData\Local\Temp\a8ab2358f2260e52a78ff8cf40a30c96d5fe72b9da0cd3f3859d7d77645fae85.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSAC24.tmp\EDlGIqo4bS5o1eV.exe.\EDlGIqo4bS5o1eV.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSAC24.tmp\EDlGIqo4bS5o1eV.datFilesize
1KB
MD58a44108fa3d9faf300cdff80cd51026b
SHA19ced5a7b936baf8df103f76868a547152f55db36
SHA2563377f47c1626fb8622dca4fc44de7378728dfd97e8e564da01a6c0b9c078830d
SHA5128b88ad2ff01228a7a3f4a4131d16aee4aa40591d4d50a153329ba4009673271b149faa27913678d29c5b72542057580cf9b300d962a1569478a25e50064e0989
-
C:\Users\Admin\AppData\Local\Temp\7zSAC24.tmp\EDlGIqo4bS5o1eV.exeFilesize
760KB
MD5dcd148f6f3af3e3b0935c4fcc9f41811
SHA1ee9bdbc7c568c7832d90b85921ab20030b6734cd
SHA256f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4
SHA51234be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886
-
C:\Users\Admin\AppData\Local\Temp\7zSAC24.tmp\EDlGIqo4bS5o1eV.exeFilesize
760KB
MD5dcd148f6f3af3e3b0935c4fcc9f41811
SHA1ee9bdbc7c568c7832d90b85921ab20030b6734cd
SHA256f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4
SHA51234be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886
-
memory/1000-132-0x0000000000000000-mapping.dmp