Analysis
-
max time kernel
152s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 09:12
Static task
static1
Behavioral task
behavioral1
Sample
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe
Resource
win10v2004-20220901-en
General
-
Target
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe
-
Size
1.4MB
-
MD5
18d70788c8724bb9e0686d3a52e9e883
-
SHA1
8b89cbe1a61fe0810c89645d6ea93f782eb9a828
-
SHA256
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243
-
SHA512
1dee7870fe3c824a898c0e7b6401ba7b43b1ac45235304f0486baeb0b99a08760af6feaa5cf096ff38b90434bbb30ad402c0242fca0499a164448669db246a7f
-
SSDEEP
12288:h6ZiQImGoC2WX+vEL4J8e4zxtm3DnP1AczCZqWfAtUEvaalG19Taw/H5CkUmCxjH:qGkE68eOxMDnP1AczCZ54tUpMigkU3xz
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1344-62-0x0000000000400000-0x000000000063E000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe" 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exepid process 1344 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exepid process 1364 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe 1344 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exedescription pid process target process PID 1364 wrote to memory of 1344 1364 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe PID 1364 wrote to memory of 1344 1364 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe PID 1364 wrote to memory of 1344 1364 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe PID 1364 wrote to memory of 1344 1364 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe"C:\Users\Admin\AppData\Local\Temp\9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe"C:\Users\Admin\AppData\Local\Temp\9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1344-56-0x0000000000000000-mapping.dmp
-
memory/1344-57-0x0000000000400000-0x000000000063E000-memory.dmpFilesize
2.2MB
-
memory/1344-59-0x0000000000400000-0x000000000063E000-memory.dmpFilesize
2.2MB
-
memory/1344-62-0x0000000000400000-0x000000000063E000-memory.dmpFilesize
2.2MB
-
memory/1364-54-0x0000000000400000-0x000000000063E000-memory.dmpFilesize
2.2MB
-
memory/1364-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/1364-60-0x0000000000400000-0x000000000063E000-memory.dmpFilesize
2.2MB
-
memory/1364-61-0x0000000002180000-0x00000000023BE000-memory.dmpFilesize
2.2MB