Analysis
-
max time kernel
30s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 02:40
Behavioral task
behavioral1
Sample
ee51846bb0172312da1f5dcc204653cb62dff225ee015d8c1cc6776c91e6e424.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
ee51846bb0172312da1f5dcc204653cb62dff225ee015d8c1cc6776c91e6e424.exe
-
Size
4.3MB
-
MD5
f95d11302a83d13259698b84f384fc78
-
SHA1
2ea4fb8c6f8f3aaeda9b0cc84198bc6b18023597
-
SHA256
ee51846bb0172312da1f5dcc204653cb62dff225ee015d8c1cc6776c91e6e424
-
SHA512
380070d5cd4a773ee210f71b111109b9631b6cc3303272901528f62d7f1348dfbb98d2a6cdeb3419fea2208c1b0fa1b2ae54da80cc9ed184060b5cd9a728551c
-
SSDEEP
98304:uidqin+FG82b2mZe1di2CdzGDigSUwR9ab/EZGNpX/e6gkLt+L/NR:5drnOGZb2gdzgTL/uqX/e6JtE
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 860 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/948-54-0x00000000000E0000-0x0000000000F41000-memory.dmp upx -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ee51846bb0172312da1f5dcc204653cb62dff225ee015d8c1cc6776c91e6e424.execmd.exedescription pid process target process PID 948 wrote to memory of 860 948 ee51846bb0172312da1f5dcc204653cb62dff225ee015d8c1cc6776c91e6e424.exe cmd.exe PID 948 wrote to memory of 860 948 ee51846bb0172312da1f5dcc204653cb62dff225ee015d8c1cc6776c91e6e424.exe cmd.exe PID 948 wrote to memory of 860 948 ee51846bb0172312da1f5dcc204653cb62dff225ee015d8c1cc6776c91e6e424.exe cmd.exe PID 860 wrote to memory of 528 860 cmd.exe choice.exe PID 860 wrote to memory of 528 860 cmd.exe choice.exe PID 860 wrote to memory of 528 860 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee51846bb0172312da1f5dcc204653cb62dff225ee015d8c1cc6776c91e6e424.exe"C:\Users\Admin\AppData\Local\Temp\ee51846bb0172312da1f5dcc204653cb62dff225ee015d8c1cc6776c91e6e424.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\ee51846bb0172312da1f5dcc204653cb62dff225ee015d8c1cc6776c91e6e424.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/948-54-0x00000000000E0000-0x0000000000F41000-memory.dmpFilesize
14.4MB