ca3def819c788dd6ba706a2d4d22b0d4ae5ca989df8c2737ed9fd2b79bc46d00

Analysis

max time kernel
118s
max time network
282s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21/08/2023, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c_dump_64.exe
Size

756KB
MD5

e3519a30942e85e5f93f9e0845cd6dc3
SHA1

216afd3d677a61a247b3344c9b2d296dfc338519
SHA256

ca3def819c788dd6ba706a2d4d22b0d4ae5ca989df8c2737ed9fd2b79bc46d00
SHA512

bf07805eb54f5099797797d88d5f7bca2a2d0335dedcccc70a33b4c76656298243da156eebc8d193aa66393fe8fcdb4711a3586acf68273ed2dce526b11275b8
SSDEEP

12288:OxM8HqxlzIKsVccJIiqq5voUz5s3nIBrJwvLivK7goiGm9z8Ma:GMnxzWmil35s3IBJYivK7g0Q8

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1112	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	api.ipify.org
3	api.ipify.org
5	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
2420	PING.EXE
596	PING.EXE
1628	PING.EXE
1680	PING.EXE
2816	PING.EXE
2388	PING.EXE
1036	PING.EXE
1516	PING.EXE
2836	PING.EXE
2436	PING.EXE
476	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2768	1052	86c_dump_64.exe	29
PID 1052 wrote to memory of 2768	1052	86c_dump_64.exe	29
PID 1052 wrote to memory of 2768	1052	86c_dump_64.exe	29
PID 1052 wrote to memory of 2344	1052	86c_dump_64.exe	28
PID 1052 wrote to memory of 2344	1052	86c_dump_64.exe	28
PID 1052 wrote to memory of 2344	1052	86c_dump_64.exe	28
PID 1052 wrote to memory of 2052	1052	86c_dump_64.exe	30
PID 1052 wrote to memory of 2052	1052	86c_dump_64.exe	30
PID 1052 wrote to memory of 2052	1052	86c_dump_64.exe	30
PID 1052 wrote to memory of 2976	1052	86c_dump_64.exe	31
PID 1052 wrote to memory of 2976	1052	86c_dump_64.exe	31
PID 1052 wrote to memory of 2976	1052	86c_dump_64.exe	31
PID 1052 wrote to memory of 1696	1052	86c_dump_64.exe	32
PID 1052 wrote to memory of 1696	1052	86c_dump_64.exe	32
PID 1052 wrote to memory of 1696	1052	86c_dump_64.exe	32
PID 1052 wrote to memory of 2980	1052	86c_dump_64.exe	33
PID 1052 wrote to memory of 2980	1052	86c_dump_64.exe	33
PID 1052 wrote to memory of 2980	1052	86c_dump_64.exe	33
PID 1052 wrote to memory of 2180	1052	86c_dump_64.exe	34
PID 1052 wrote to memory of 2180	1052	86c_dump_64.exe	34
PID 1052 wrote to memory of 2180	1052	86c_dump_64.exe	34
PID 1052 wrote to memory of 1268	1052	86c_dump_64.exe	35
PID 1052 wrote to memory of 1268	1052	86c_dump_64.exe	35
PID 1052 wrote to memory of 1268	1052	86c_dump_64.exe	35
PID 1052 wrote to memory of 2552	1052	86c_dump_64.exe	36
PID 1052 wrote to memory of 2552	1052	86c_dump_64.exe	36
PID 1052 wrote to memory of 2552	1052	86c_dump_64.exe	36
PID 1052 wrote to memory of 2092	1052	86c_dump_64.exe	37
PID 1052 wrote to memory of 2092	1052	86c_dump_64.exe	37
PID 1052 wrote to memory of 2092	1052	86c_dump_64.exe	37
PID 2092 wrote to memory of 2836	2092	cmd.exe	41
PID 2092 wrote to memory of 2836	2092	cmd.exe	41
PID 2092 wrote to memory of 2836	2092	cmd.exe	41
PID 1268 wrote to memory of 1680	1268	cmd.exe	42
PID 1268 wrote to memory of 1680	1268	cmd.exe	42
PID 1268 wrote to memory of 1680	1268	cmd.exe	42
PID 2552 wrote to memory of 2816	2552	cmd.exe	46
PID 2552 wrote to memory of 2816	2552	cmd.exe	46
PID 2552 wrote to memory of 2816	2552	cmd.exe	46
PID 2180 wrote to memory of 2420	2180	cmd.exe	52
PID 2180 wrote to memory of 2420	2180	cmd.exe	52
PID 2180 wrote to memory of 2420	2180	cmd.exe	52
PID 1696 wrote to memory of 2388	1696	cmd.exe	51
PID 1696 wrote to memory of 2388	1696	cmd.exe	51
PID 1696 wrote to memory of 2388	1696	cmd.exe	51
PID 2052 wrote to memory of 2436	2052	cmd.exe	53
PID 2052 wrote to memory of 2436	2052	cmd.exe	53
PID 2052 wrote to memory of 2436	2052	cmd.exe	53
PID 2344 wrote to memory of 476	2344	cmd.exe	54
PID 2344 wrote to memory of 476	2344	cmd.exe	54
PID 2344 wrote to memory of 476	2344	cmd.exe	54
PID 2976 wrote to memory of 596	2976	cmd.exe	55
PID 2976 wrote to memory of 596	2976	cmd.exe	55
PID 2976 wrote to memory of 596	2976	cmd.exe	55
PID 2980 wrote to memory of 1036	2980	cmd.exe	56
PID 2980 wrote to memory of 1036	2980	cmd.exe	56
PID 2980 wrote to memory of 1036	2980	cmd.exe	56
PID 2768 wrote to memory of 1628	2768	cmd.exe	57
PID 2768 wrote to memory of 1628	2768	cmd.exe	57
PID 2768 wrote to memory of 1628	2768	cmd.exe	57
PID 1052 wrote to memory of 1112	1052	86c_dump_64.exe	59
PID 1052 wrote to memory of 1112	1052	86c_dump_64.exe	59
PID 1052 wrote to memory of 1112	1052	86c_dump_64.exe	59
PID 1112 wrote to memory of 1516	1112	cmd.exe	61

C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe
"C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...