e045012044b62da575f059d1146e05e889f8fdd77561844dc51ffb09978de91d

Analysis

max time kernel
36s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 13:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e045012044b62da575f059d1146e05e889f8fdd77561844dc51ffb09978de91d.exe
Size

68KB
MD5

afa85b31bae2790dff4b307e838b3079
SHA1

1947e401ad497e96cae33392fb46f5c4790724e0
SHA256

e045012044b62da575f059d1146e05e889f8fdd77561844dc51ffb09978de91d
SHA512

0646793b873c79e414ead3de59210588bbded7419e9f4978a830d001f185749559639914dc2bf1eb9e51a6bd2839a54948b6d20f266becd6c81d5a3c38f5cfdf
SSDEEP

768:bqL6raHKk9cCm7sagoc9nnff8dcKgs5DKndzCPuI0tCxLQyUEOwpsR2:bqLPKUsc5glj2phCx8tl2

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1012	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1508	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1356	e045012044b62da575f059d1146e05e889f8fdd77561844dc51ffb09978de91d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1012	1356	e045012044b62da575f059d1146e05e889f8fdd77561844dc51ffb09978de91d.exe	28
PID 1356 wrote to memory of 1012	1356	e045012044b62da575f059d1146e05e889f8fdd77561844dc51ffb09978de91d.exe	28
PID 1356 wrote to memory of 1012	1356	e045012044b62da575f059d1146e05e889f8fdd77561844dc51ffb09978de91d.exe	28
PID 1356 wrote to memory of 1012	1356	e045012044b62da575f059d1146e05e889f8fdd77561844dc51ffb09978de91d.exe	28
PID 1012 wrote to memory of 1508	1012	cmd.exe	30
PID 1012 wrote to memory of 1508	1012	cmd.exe	30
PID 1012 wrote to memory of 1508	1012	cmd.exe	30
PID 1012 wrote to memory of 1508	1012	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\e045012044b62da575f059d1146e05e889f8fdd77561844dc51ffb09978de91d.exe
"C:\Users\Admin\AppData\Local\Temp\e045012044b62da575f059d1146e05e889f8fdd77561844dc51ffb09978de91d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del e045012044b62da575f059d1146e05e889f8fdd77561844dc51ffb09978de91d.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-56-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download