Analysis
-
max time kernel
103s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 08:30
General
-
Target
c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe
-
Size
4.3MB
-
MD5
060302eb86d96eda59e36eb86e0f2350
-
SHA1
8e92374a50589727383d241d59cf565e628743e3
-
SHA256
c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1
-
SHA512
1f68702c21e64e1a1bd0e02fd027b3223a600665b98be8c370b5b02bf62522a1bd242eabf4e9377e1c704251c849f4f5496e43591cb5fcc55b1e16d940a9b269
-
SSDEEP
98304:xYPZLCzAqGift2zgqE0HJ97Lyaf7QRuPYnGcs15CI8nV11nPEB1o:xaCzPGPgqTJ97LzQRuPYTs15C5nV1Z4o
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1516-133-0x0000000000650000-0x00000000014B1000-memory.dmp upx -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.execmd.exedescription pid process target process PID 1516 wrote to memory of 2352 1516 c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe cmd.exe PID 1516 wrote to memory of 2352 1516 c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe cmd.exe PID 2352 wrote to memory of 4640 2352 cmd.exe choice.exe PID 2352 wrote to memory of 4640 2352 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe"C:\Users\Admin\AppData\Local\Temp\c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵