1055458a8ee3ee7724fd82ca27387523cb1d0d1733ac8cceaf99fab47e35d105

Analysis

max time kernel
490s
max time network
495s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
19-03-2023 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add_attack/Slava.exe
Size

13.9MB
MD5

1fa21564b4463aa7a564a20fa00dafba
SHA1

44d44ad94ede70ae8bdf75ea18660911f5a22915
SHA256

f9c21532868a2cd3cbeaa22f92c237cb73bff27d73fc49716d81c89eedb72be9
SHA512

2467c316ca826f757c0eae92a295ac9e3d4cde38936f480fdbaea1fbaa933c298c4d3ac7ca361f20c246c768591f02b8a6c18c4064780803585d1b7cbf914abf
SSDEEP

98304:Z8orC0paqIwP+g/pkrubbwibwHyEe/4/I3eFTF:CExaqvP+0pkruwKw/P/I

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 1204	4516	Slava.exe	83
PID 4516 wrote to memory of 1204	4516	Slava.exe	83
PID 1204 wrote to memory of 3144	1204	cmd.exe	85
PID 1204 wrote to memory of 3144	1204	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\add_attack\Slava.exe
"C:\Users\Admin\AppData\Local\Temp\add_attack\Slava.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\add_attack\Slava.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 0
    3⤵
    PID:3144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4516-133-0x0000000000F00000-0x0000000001D4F000-memory.dmp

Filesize
14.3MB

Download