069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 11:06

Target

069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe
Size

1.0MB
MD5

add618444843b6dec500a6a3d1e86b3a
SHA1

313ada3cf60a9a85a99e35ac3e81bed1bdb8be3a
SHA256

069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f
SHA512

db6fbc6ebf9e66ef837a7ec2b8ac4e73bc0f73867d7f54aefc42630ae7dc979288f68148f855e7a7db01e3916991a4499ef71adce9258e721a1098beb4222173
SSDEEP

24576:LB8+mu4DXEz/XVsR0FJc78OhJBgRPflYm8CcP2FRGmbl+aoNt+2:LOgWe+EYmEaoNN

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1268 set thread context of 2140	1268	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2140	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe
2140	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2140	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe
2140	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe
2140	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe
2140	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2140	1268	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe	81
PID 1268 wrote to memory of 2140	1268	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe	81
PID 1268 wrote to memory of 2140	1268	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe	81
PID 1268 wrote to memory of 2140	1268	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe	81
PID 1268 wrote to memory of 2140	1268	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe	81
PID 1268 wrote to memory of 2140	1268	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe	81
PID 1268 wrote to memory of 2140	1268	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe	81
PID 1268 wrote to memory of 2140	1268	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe	81
PID 1268 wrote to memory of 2140	1268	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe	81
PID 1268 wrote to memory of 2140	1268	069a4ac95599fdc07a4bcee35a4fcf339d40f33b690f8016a88a9bdfb8faa89f.exe	81

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/2140-133-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/2140-134-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/2140-135-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/2140-136-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/2140-137-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download