1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe
Size

156KB
MD5

66a502dc76e48ece9d93b9b5818b4f10
SHA1

2e18c18e025b73870bed3bd5cbaa0981bf65cf7d
SHA256

1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7
SHA512

f7e0847a10c008d87fe715eb551ee1f0957021e549d8a3b9104270d8ad25a9164fb46d14c05298bcb213bc49fa62738bae3b3f67a053716a49a5e1f02680891b
SSDEEP

3072:ilikxQUzHLV/sidu5k9AvVt7G9K7b+EdK5upvq9nV5P5ghIvX6gKEzeGAHVNVNbE:ilikxQU6w3BpiOh

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1628	Friendster Bruteforce.exe

Loads dropped DLL 2 IoCs

pid	Process
1624	1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe
1624	1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1628	Friendster Bruteforce.exe
1628	Friendster Bruteforce.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1628	1624	1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe	28
PID 1624 wrote to memory of 1628	1624	1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe	28
PID 1624 wrote to memory of 1628	1624	1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe	28
PID 1624 wrote to memory of 1628	1624	1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe	28

C:\Users\Admin\AppData\Local\Temp\1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe
"C:\Users\Admin\AppData\Local\Temp\1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe
  "C:\Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe

Filesize
114KB

MD5
6e86cc4f7eab19bd067fac6b3c955b40

SHA1
a72b9d3b853e899e7e62c0f38f4234655f967d1e

SHA256
0a661ffcfd3daeea0fcce984716db040d41d51d7539f87f9dd65056d0562568a

SHA512
008efcf74fd7eb1a22491452d77a8172b95cdfd6006dc25706fe42ae906529ecce2b24bf3e0cce80ba9ba5a418c49d0144160b0d0fec1a62eaac1e08a648b3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe

Filesize
114KB

MD5
6e86cc4f7eab19bd067fac6b3c955b40

SHA1
a72b9d3b853e899e7e62c0f38f4234655f967d1e

SHA256
0a661ffcfd3daeea0fcce984716db040d41d51d7539f87f9dd65056d0562568a

SHA512
008efcf74fd7eb1a22491452d77a8172b95cdfd6006dc25706fe42ae906529ecce2b24bf3e0cce80ba9ba5a418c49d0144160b0d0fec1a62eaac1e08a648b3b8

Download Submit
\Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe

Filesize
114KB

MD5
6e86cc4f7eab19bd067fac6b3c955b40

SHA1
a72b9d3b853e899e7e62c0f38f4234655f967d1e

SHA256
0a661ffcfd3daeea0fcce984716db040d41d51d7539f87f9dd65056d0562568a

SHA512
008efcf74fd7eb1a22491452d77a8172b95cdfd6006dc25706fe42ae906529ecce2b24bf3e0cce80ba9ba5a418c49d0144160b0d0fec1a62eaac1e08a648b3b8

Download Submit
\Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe

Filesize
114KB

MD5
6e86cc4f7eab19bd067fac6b3c955b40

SHA1
a72b9d3b853e899e7e62c0f38f4234655f967d1e

SHA256
0a661ffcfd3daeea0fcce984716db040d41d51d7539f87f9dd65056d0562568a

SHA512
008efcf74fd7eb1a22491452d77a8172b95cdfd6006dc25706fe42ae906529ecce2b24bf3e0cce80ba9ba5a418c49d0144160b0d0fec1a62eaac1e08a648b3b8

Download Submit
memory/1624-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1628-60-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1628-61-0x000007FEF2A80000-0x000007FEF3B16000-memory.dmp

Filesize
16.6MB

Download
memory/1628-62-0x0000000000896000-0x00000000008B5000-memory.dmp

Filesize
124KB

Download