a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230

Analysis

max time kernel
90s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 07:04

Target

a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe
Size

56KB
MD5

7146404def4e44596901368c8451994e
SHA1

6cbad4b8ef5790f62782674d52fd3a5506968cdf
SHA256

a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230
SHA512

dd5d83289142ddafe22347399dbd6e91eef556b91f83a3611e2e6a9d8efa2d542f55d1d2eafffdd4fd9535f48b20a2774051520a10e6c8fc1c51b3cf8a63db6f
SSDEEP

768:OTOQlDIAZZcInthEAicGvGqd3+DUI/I9wxKSudIQ:IOGHHqcGvGpDhIedaIQ

Score

8^/10

spyware stealer

Executes dropped EXE 1 IoCs

pid	Process
5020	gbQkb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5020	gbQkb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5020	gbQkb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 5020	4396	a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe	82
PID 4396 wrote to memory of 5020	4396	a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe	82
PID 4396 wrote to memory of 5020	4396	a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe	82

C:\Users\Admin\AppData\Local\Temp\a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe
"C:\Users\Admin\AppData\Local\Temp\a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Roaming\gbQkb.exe
  C:\Users\Admin\AppData\Roaming\gbQkb.exe C:\Users\Admin\AppData\Local\Temp\a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5020

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\gbQkb.exe

Filesize
56KB

MD5
7146404def4e44596901368c8451994e

SHA1
6cbad4b8ef5790f62782674d52fd3a5506968cdf

SHA256
a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230

SHA512
dd5d83289142ddafe22347399dbd6e91eef556b91f83a3611e2e6a9d8efa2d542f55d1d2eafffdd4fd9535f48b20a2774051520a10e6c8fc1c51b3cf8a63db6f

Download Submit
C:\Users\Admin\AppData\Roaming\gbQkb.exe

Filesize
56KB

MD5
7146404def4e44596901368c8451994e

SHA1
6cbad4b8ef5790f62782674d52fd3a5506968cdf

SHA256
a0ea90167f5b02b661d29010a6403803b802d52522a9f1c6c78f62fd81953230

SHA512
dd5d83289142ddafe22347399dbd6e91eef556b91f83a3611e2e6a9d8efa2d542f55d1d2eafffdd4fd9535f48b20a2774051520a10e6c8fc1c51b3cf8a63db6f

Download Submit
memory/4396-133-0x0000000074CB0000-0x0000000075261000-memory.dmp

Filesize
5.7MB

Download
memory/4396-138-0x0000000074CB0000-0x0000000075261000-memory.dmp

Filesize
5.7MB

Download
memory/5020-139-0x0000000074CB0000-0x0000000075261000-memory.dmp

Filesize
5.7MB

Download
memory/5020-140-0x0000000074CB0000-0x0000000075261000-memory.dmp

Filesize
5.7MB

Download
memory/5020-141-0x0000000074CB0000-0x0000000075261000-memory.dmp

Filesize
5.7MB

Download