Analysis
-
max time kernel
56s -
max time network
185s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
31-05-2023 22:17
Behavioral task
behavioral1
Sample
8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe
Resource
win7-20230220-en
windows7-x64
3 signatures
300 seconds
General
-
Target
8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe
-
Size
4.3MB
-
MD5
2adfeed43feb236e8bd4bab0a862b22c
-
SHA1
83705a265a086a6152973abf812fb21a7a7c7510
-
SHA256
8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718
-
SHA512
d19d0dcacbff85e724dbaf80bbf66bb4e5750be7dda80cd2fe61c8d258d4cabf2ef45a57bb1c7ba84f3572f1a75aa0080627e1f97f6b43c3df88d8470bad0c90
-
SSDEEP
98304:VYeBBQhD3S/U0Cpz+Y8TlbuEH9abRuCEvBQh8:Vim9CoY8Tpd84CE5W8
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4156-121-0x0000000000920000-0x000000000177E000-memory.dmp upx behavioral2/memory/4156-122-0x0000000000920000-0x000000000177E000-memory.dmp upx -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.execmd.exedescription pid process target process PID 4156 wrote to memory of 4140 4156 8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe cmd.exe PID 4156 wrote to memory of 4140 4156 8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe cmd.exe PID 4140 wrote to memory of 4136 4140 cmd.exe choice.exe PID 4140 wrote to memory of 4136 4140 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe"C:\Users\Admin\AppData\Local\Temp\8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\8b91c8182a780fdaa656a517bbfbff508c94fab6a5e658a77c63442896203718.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵PID:4136