9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c

Analysis

max time kernel
73s
max time network
72s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe
Size

983KB
MD5

560880c37e770ce5b381ee7488f7fa87
SHA1

87f1fd19ef1d3f163739f6ae687039b40efdff83
SHA256

9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c
SHA512

62c007e0e17f95487dfb2b5f81f2fe57f508ca9930192bee39babc296205d130141388f7ea2ac7e76a093335146cb5d8c238fbf3848ae31712a658f5be8be66a
SSDEEP

12288:ldF0K5feXW63uv53WkHbFaFk5d7P92ITL0+K6H0XpJO5blv2Sq7vun5++mKsH8Sz:fFZUfeJ7YI8+K6H0Zspvsvu5oTGBA

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1132 set thread context of 1524	1132	9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe	27

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1524	1132	9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe	27
PID 1132 wrote to memory of 1524	1132	9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe	27
PID 1132 wrote to memory of 1524	1132	9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe	27
PID 1132 wrote to memory of 1524	1132	9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe	27
PID 1132 wrote to memory of 1524	1132	9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe	27
PID 1132 wrote to memory of 1524	1132	9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe	27
PID 1132 wrote to memory of 1524	1132	9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe	27
PID 1132 wrote to memory of 1524	1132	9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe	27
PID 1132 wrote to memory of 1524	1132	9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe	27

C:\Users\Admin\AppData\Local\Temp\9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe
"C:\Users\Admin\AppData\Local\Temp\9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe
  "C:\Users\Admin\AppData\Local\Temp\9d2211ec3a834c4c727d1910460d97b5bd864b4bb9a58fb73dfbf432cb0f342c.exe"
  2⤵
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1132-55-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1132-71-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1132-58-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-63-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1524-60-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1524-57-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1524-65-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1524-67-0x00000000004CB902-mapping.dmp

Download
memory/1524-69-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1524-56-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1524-72-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1524-74-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-75-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-76-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download