Analysis
-
max time kernel
90s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe
Resource
win7-20221111-en
General
-
Target
a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe
-
Size
56KB
-
MD5
7146404def4e44596901368c8451994e
-
SHA1
6cbad4b8ef5790f62782674d52fd3a5506968cdf
-
SHA256
a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230
-
SHA512
dd5d83289142ddafe22347399dbd6e91eef556b91f83a3611e2e6a9d8efa2d542f55d1d2eafffdd4fd9535f48b20a2774051520a10e6c8fc1c51b3cf8a63db6f
-
SSDEEP
768:OTOQlDIAZZcInthEAicGvGqd3+DUI/I9wxKSudIQ:IOGHHqcGvGpDhIedaIQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5020 gbQkb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 5020 gbQkb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5020 gbQkb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4396 wrote to memory of 5020 4396 a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe 82 PID 4396 wrote to memory of 5020 4396 a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe 82 PID 4396 wrote to memory of 5020 4396 a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe"C:\Users\Admin\AppData\Local\Temp\a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Roaming\gbQkb.exeC:\Users\Admin\AppData\Roaming\gbQkb.exe C:\Users\Admin\AppData\Local\Temp\a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD57146404def4e44596901368c8451994e
SHA16cbad4b8ef5790f62782674d52fd3a5506968cdf
SHA256a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230
SHA512dd5d83289142ddafe22347399dbd6e91eef556b91f83a3611e2e6a9d8efa2d542f55d1d2eafffdd4fd9535f48b20a2774051520a10e6c8fc1c51b3cf8a63db6f
-
Filesize
56KB
MD57146404def4e44596901368c8451994e
SHA16cbad4b8ef5790f62782674d52fd3a5506968cdf
SHA256a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230
SHA512dd5d83289142ddafe22347399dbd6e91eef556b91f83a3611e2e6a9d8efa2d542f55d1d2eafffdd4fd9535f48b20a2774051520a10e6c8fc1c51b3cf8a63db6f