ca3def819c788dd6ba706a2d4d22b0d4ae5ca989df8c2737ed9fd2b79bc46d00

Analysis

max time kernel
234s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2023 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c_dump_64.exe
Size

756KB
MD5

e3519a30942e85e5f93f9e0845cd6dc3
SHA1

216afd3d677a61a247b3344c9b2d296dfc338519
SHA256

ca3def819c788dd6ba706a2d4d22b0d4ae5ca989df8c2737ed9fd2b79bc46d00
SHA512

bf07805eb54f5099797797d88d5f7bca2a2d0335dedcccc70a33b4c76656298243da156eebc8d193aa66393fe8fcdb4711a3586acf68273ed2dce526b11275b8
SSDEEP

12288:OxM8HqxlzIKsVccJIiqq5voUz5s3nIBrJwvLivK7goiGm9z8Ma:GMnxzWmil35s3IBJYivK7g0Q8

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
2296	PING.EXE
2980	PING.EXE
4340	PING.EXE
1332	PING.EXE
208	PING.EXE
2148	PING.EXE
3804	PING.EXE
2480	PING.EXE
5048	PING.EXE
5056	PING.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3660	4936	86c_dump_64.exe	80
PID 4936 wrote to memory of 3660	4936	86c_dump_64.exe	80
PID 4936 wrote to memory of 4184	4936	86c_dump_64.exe	82
PID 4936 wrote to memory of 4184	4936	86c_dump_64.exe	82
PID 4936 wrote to memory of 4592	4936	86c_dump_64.exe	84
PID 4936 wrote to memory of 4592	4936	86c_dump_64.exe	84
PID 4936 wrote to memory of 2396	4936	86c_dump_64.exe	86
PID 4936 wrote to memory of 2396	4936	86c_dump_64.exe	86
PID 4936 wrote to memory of 2508	4936	86c_dump_64.exe	88
PID 4936 wrote to memory of 2508	4936	86c_dump_64.exe	88
PID 4936 wrote to memory of 4664	4936	86c_dump_64.exe	89
PID 4936 wrote to memory of 4664	4936	86c_dump_64.exe	89
PID 4936 wrote to memory of 1992	4936	86c_dump_64.exe	92
PID 4936 wrote to memory of 1992	4936	86c_dump_64.exe	92
PID 4936 wrote to memory of 1688	4936	86c_dump_64.exe	94
PID 4936 wrote to memory of 1688	4936	86c_dump_64.exe	94
PID 4936 wrote to memory of 4976	4936	86c_dump_64.exe	95
PID 4936 wrote to memory of 4976	4936	86c_dump_64.exe	95
PID 4936 wrote to memory of 1448	4936	86c_dump_64.exe	98
PID 4936 wrote to memory of 1448	4936	86c_dump_64.exe	98
PID 3660 wrote to memory of 4340	3660	cmd.exe	100
PID 3660 wrote to memory of 4340	3660	cmd.exe	100
PID 4184 wrote to memory of 1332	4184	cmd.exe	101
PID 4184 wrote to memory of 1332	4184	cmd.exe	101
PID 4664 wrote to memory of 208	4664	cmd.exe	102
PID 4664 wrote to memory of 208	4664	cmd.exe	102
PID 2396 wrote to memory of 2148	2396	cmd.exe	103
PID 2396 wrote to memory of 2148	2396	cmd.exe	103
PID 4592 wrote to memory of 3804	4592	cmd.exe	104
PID 4592 wrote to memory of 3804	4592	cmd.exe	104
PID 2508 wrote to memory of 2296	2508	cmd.exe	105
PID 2508 wrote to memory of 2296	2508	cmd.exe	105
PID 4976 wrote to memory of 2980	4976	cmd.exe	106
PID 4976 wrote to memory of 2980	4976	cmd.exe	106
PID 1992 wrote to memory of 2480	1992	cmd.exe	107
PID 1992 wrote to memory of 2480	1992	cmd.exe	107
PID 1448 wrote to memory of 5056	1448	cmd.exe	109
PID 1448 wrote to memory of 5056	1448	cmd.exe	109
PID 1688 wrote to memory of 5048	1688	cmd.exe	108
PID 1688 wrote to memory of 5048	1688	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe
"C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:4340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:3804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:5048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86c_dump_64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads