ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f

Analysis

max time kernel
87s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe
Size

24KB
MD5

f52dd568afdf3ab27817d849162a3e71
SHA1

815da8ca05870e6e77fc387195c14f4119c6787e
SHA256

ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f
SHA512

c225f68bdc52d4ef60c67a7a8996a032e10fa0b4cc3c8add27ce6b9b6671fd7c5ed02d7c290522c6f277b0dc71bdd47ad2959061dbd2c4c1e90b92f9267a4bb4
SSDEEP

384:vOCaqrpMsc29ZpvyF73t+15raYhLoe0qHUEE9FQhVNLqvW:vOCNNyFA15raYhL/HUEE9FQhVB5

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1656	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1172	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	28
PID 1212 wrote to memory of 1172	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	28
PID 1212 wrote to memory of 1172	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	28
PID 1212 wrote to memory of 1172	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	28
PID 1212 wrote to memory of 1724	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	30
PID 1212 wrote to memory of 1724	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	30
PID 1212 wrote to memory of 1724	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	30
PID 1212 wrote to memory of 1724	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	30
PID 1212 wrote to memory of 1656	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	32
PID 1212 wrote to memory of 1656	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	32
PID 1212 wrote to memory of 1656	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	32
PID 1212 wrote to memory of 1656	1212	ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe	32

C:\Users\Admin\AppData\Local\Temp\ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe
"C:\Users\Admin\AppData\Local\Temp\ff280de1b7694c27f0a10c973f46454e802cd7900bd3e749fcc111e54d784f7f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RenUS.bat" "
  2⤵
  PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RenUS.bat" "
  2⤵
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DelUS.bat" "
  2⤵
  - Deletes itself
  PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelUS.bat

Filesize
341B

MD5
78008a1ade1c64cc49fc30db329953ae

SHA1
b2dac4d1d13639b517e2418c12ae50e08d890377

SHA256
59637557fe90736a4bf146498c78088f4927185be78fbe3255eca2172bdb15b7

SHA512
73b789234cb9664d9be528e590fe3a5297e9b4efad9d6eaab405a514ad05ba1f60f0260ad1ffda26d407a23f5eb7842b5c70fcb33f7a3174dc9a668e274735f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RenUS.bat

Filesize
29B

MD5
4ea69b1b1647ed114f3198e58a889eea

SHA1
ef470ae3411c368c43762dfebc7d898c4a47a49f

SHA256
43def0cf84cf12cac102e88a19daf4d1bd195a0e98976ad79ddf277f1942bb67

SHA512
f9cc1096a981382cc401e819d24d8253d4fd5221cf794a77b726dea15dffb8c5a9d8fa9971ff118b8bfaf7c272f6c94e866035de8f3f6bdafcad2c3f12c260d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RenUS.bat

Filesize
61B

MD5
a5db51d0d0584926dd2aea91dff988f0

SHA1
884c3fd1973be99cea73ef6fcc6f04f38a1751df

SHA256
1d49dd4b3f059547f18c491c7bfa03a3bc45ae015932ab76c8b11103dee72841

SHA512
085506265424268943107f1c2a03ce8b8bf9fd9fc9f12b93780f39afa39d7f38f4d2f7a7b035a447c31d568144f1893ee9b9f3c5b864ecd4915dc6cbbebb9228

Download Submit
memory/1212-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download