0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29

Analysis

max time kernel
43s
max time network
54s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 10:57

Target

0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe
Size

1.0MB
MD5

5e2857c3cc24f6529aa9bc293be4cf22
SHA1

587d038e60354faa8fc30c96ecc2995485a212b2
SHA256

0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29
SHA512

4429cd72cf7cfd642b920260212de3fa205f55ddd61ba73f6296b9a02d1bccc7a75151d854905a3a1361813d0829e0d18cbfe9c5ef6fd83cfe25cc3c0227065e
SSDEEP

24576:HB8+mu4DXEz/XVsR0FJc78OhJBgRPflYm8CcP2FRGmbl+aoNt2g:HOgWe+EYmEaoNj

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1168 set thread context of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1084	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27
PID 1168 wrote to memory of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27
PID 1168 wrote to memory of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27
PID 1168 wrote to memory of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27
PID 1168 wrote to memory of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27
PID 1168 wrote to memory of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27
PID 1168 wrote to memory of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27
PID 1168 wrote to memory of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27
PID 1168 wrote to memory of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27
PID 1168 wrote to memory of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27
PID 1168 wrote to memory of 1084	1168	0bb6e04cf431c2c2eac335a1292e8693b70b5538767a99089fe4913b48a8af29.exe	27

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1084-54-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1084-55-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1084-57-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1084-59-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1084-61-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1084-63-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1084-65-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1084-68-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1084-69-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1084-70-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1084-71-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download