70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655

Analysis

max time kernel
80s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2023 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe
Size

3.1MB
MD5

cd12cb026f70700b6d7d3122360c52e8
SHA1

b944514f2b56e27a9b5e26316f72fd9fec8aa94c
SHA256

70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655
SHA512

6e9c3d683dbf9e16ae868ceb3078dffe330b7b81f50de204aab5d10d3b3baede98853b7f4f9fd2e871d6aa439716c9b6c0cef416478845954a7a08d8efe71f19
SSDEEP

49152:T5wh59b5nEKS6JKokJL06d4vD9GJjq/5qS3mynxdD4/7AQxDy:TUnuxBzd1IgYmoIfD

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4168 powershell.exe
4168 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4168 powershell.exe

pid	process
4168	powershell.exe
4168	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4168	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe

description	pid	process	target process
PID 3516 wrote to memory of 4168	3516	70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe	powershell.exe
PID 3516 wrote to memory of 4168	3516	70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe
"C:\Users\Admin\AppData\Local\Temp\70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ak0qW0K2u6czTLZsDFl4AfJLpAhaac\sensfiles.zip

Filesize
7.2MB

MD5
1ab41d31fb0aed60edd9d20bc7e1163c

SHA1
b6659275b17b9ed641b3ba67481d406306206597

SHA256
66983b3c0ea1729d22240ec942dbd5c31573756fa079de413cc2ea2b4ccf43a8

SHA512
f7c995f257f093593ee33f2d2cfc8fba015cf8c2043c4af1038e04cebe34a5b33cb2cd111128203556c10713b07e37aa604b38a63d8bfc8568229a987696d4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w3dntwht.2yv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\google_default_login_data

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\google_default_webdata

Filesize
92KB

MD5
651d855bcf44adceccfd3fffcd32956d

SHA1
45ac6cb8bd69976f45a37bf86193bd4c8e03fce9

SHA256
4ada554163d26c8a3385d4fe372fc132971c867e23927a35d72a98aadb25b57b

SHA512
67b4683a4e780093e5b3e73ea906a42c74f96a9234845114e0ea6e61ab0308c2e5b7f12d3428ce5bf48928863c102f57c011f9cdc4589d2d82c078b3db70c31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\google_network_cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings_default_login_data

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/4168-142-0x00000167710B0000-0x00000167710D2000-memory.dmp

Filesize
136KB

Download
memory/4168-143-0x0000016771170000-0x0000016771180000-memory.dmp

Filesize
64KB

Download
memory/4168-144-0x0000016771170000-0x0000016771180000-memory.dmp

Filesize
64KB

Download
memory/4168-145-0x0000016771170000-0x0000016771180000-memory.dmp

Filesize
64KB

Download