Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 03:38
Behavioral task
behavioral1
Sample
ab271dbdb2fe1167e203eb5693a107b5f75a4abc427990f1610c6f36798e0575.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
300 seconds
General
-
Target
ab271dbdb2fe1167e203eb5693a107b5f75a4abc427990f1610c6f36798e0575.exe
-
Size
4.3MB
-
MD5
c3d8ee8d15499dcb98d390faa1db03e0
-
SHA1
f95a309ec2b8d114518fffc4722898e1e3229da4
-
SHA256
ab271dbdb2fe1167e203eb5693a107b5f75a4abc427990f1610c6f36798e0575
-
SHA512
56b166f46acec2b83726ed03ba0a6ab959b79aa502ee37959601b14387a60f88459bb35ecb8e5b34f7f4649e8c89640c102877ef3ca3e8db145793de6cb79828
-
SSDEEP
98304:6ap4irM3hZlWJG58Cch6a+UWiOoZVQWKVxBmddK8V+i4A:miriPl35fPUWXunKsdd1+g
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 852 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1248-54-0x0000000000020000-0x0000000000E81000-memory.dmp upx -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ab271dbdb2fe1167e203eb5693a107b5f75a4abc427990f1610c6f36798e0575.execmd.exedescription pid process target process PID 1248 wrote to memory of 852 1248 ab271dbdb2fe1167e203eb5693a107b5f75a4abc427990f1610c6f36798e0575.exe cmd.exe PID 1248 wrote to memory of 852 1248 ab271dbdb2fe1167e203eb5693a107b5f75a4abc427990f1610c6f36798e0575.exe cmd.exe PID 1248 wrote to memory of 852 1248 ab271dbdb2fe1167e203eb5693a107b5f75a4abc427990f1610c6f36798e0575.exe cmd.exe PID 852 wrote to memory of 884 852 cmd.exe choice.exe PID 852 wrote to memory of 884 852 cmd.exe choice.exe PID 852 wrote to memory of 884 852 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab271dbdb2fe1167e203eb5693a107b5f75a4abc427990f1610c6f36798e0575.exe"C:\Users\Admin\AppData\Local\Temp\ab271dbdb2fe1167e203eb5693a107b5f75a4abc427990f1610c6f36798e0575.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\ab271dbdb2fe1167e203eb5693a107b5f75a4abc427990f1610c6f36798e0575.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1248-54-0x0000000000020000-0x0000000000E81000-memory.dmpFilesize
14.4MB