Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2023 08:39
General
-
Target
f034ad4def61df7217fba26ed56df1e4c43f1082c66e88ce0fe2df934472535e.exe
-
Size
4.3MB
-
MD5
8e06a01e43e30190a7843fa24c3e2afa
-
SHA1
b88c1365e461cb21fa8ce7a52443ac6f9b420888
-
SHA256
f034ad4def61df7217fba26ed56df1e4c43f1082c66e88ce0fe2df934472535e
-
SHA512
3e77e12ce4bf63d88e218fbd4044faea7e7205c5952f9987ae02fe1467bf79804afdc97962d383a9e8a967a04aa30c817c27a15984ed88369c7fedc424c958d9
-
SSDEEP
98304:zlTEcSHSVltmLKBuaKL/DkwgvrrMgoxeNGYTxv5fF+fpGPY6:z9EcKSELYXKTQ1NoxKZlf+fkY
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1000-133-0x0000000000B60000-0x00000000019C3000-memory.dmp upx -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1000 wrote to memory of 3776 1000 f034ad4def61df7217fba26ed56df1e4c43f1082c66e88ce0fe2df934472535e.exe 76 PID 1000 wrote to memory of 3776 1000 f034ad4def61df7217fba26ed56df1e4c43f1082c66e88ce0fe2df934472535e.exe 76 PID 3776 wrote to memory of 688 3776 cmd.exe 78 PID 3776 wrote to memory of 688 3776 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\f034ad4def61df7217fba26ed56df1e4c43f1082c66e88ce0fe2df934472535e.exe"C:\Users\Admin\AppData\Local\Temp\f034ad4def61df7217fba26ed56df1e4c43f1082c66e88ce0fe2df934472535e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\f034ad4def61df7217fba26ed56df1e4c43f1082c66e88ce0fe2df934472535e.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵PID:688
-
-