Analysis
-
max time kernel
27s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-05-2023 22:17
Behavioral task
behavioral1
Sample
8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe
Resource
win7-20230220-en
windows7-x64
3 signatures
300 seconds
General
-
Target
8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe
-
Size
4.3MB
-
MD5
2adfeed43feb236e8bd4bab0a862b22c
-
SHA1
83705a265a086a6152973abf812fb21a7a7c7510
-
SHA256
8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718
-
SHA512
d19d0dcacbff85e724dbaf80bbf66bb4e5750be7dda80cd2fe61c8d258d4cabf2ef45a57bb1c7ba84f3572f1a75aa0080627e1f97f6b43c3df88d8470bad0c90
-
SSDEEP
98304:VYeBBQhD3S/U0Cpz+Y8TlbuEH9abRuCEvBQh8:Vim9CoY8Tpd84CE5W8
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1140-54-0x00000000013C0000-0x000000000221E000-memory.dmp upx -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.execmd.exedescription pid process target process PID 1140 wrote to memory of 1968 1140 8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe cmd.exe PID 1140 wrote to memory of 1968 1140 8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe cmd.exe PID 1140 wrote to memory of 1968 1140 8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe cmd.exe PID 1968 wrote to memory of 1916 1968 cmd.exe choice.exe PID 1968 wrote to memory of 1916 1968 cmd.exe choice.exe PID 1968 wrote to memory of 1916 1968 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe"C:\Users\Admin\AppData\Local\Temp\8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵PID:1916