84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b

Resubmissions

25/08/2023, 06:10

230825-gw6c6sbb9z 6

25/08/2023, 04:47

230825-fezcvshc39 6

Analysis

max time kernel
124s
max time network
255s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
25/08/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe
Size

1.6MB
MD5

7db9dd5aa17476727fa4321088a26fc3
SHA1

798e8db4d86bc714553ee5b715a2e49ae14887cc
SHA256

84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b
SHA512

0b0e9bd7f45e0ed282058119e68c71f8d6b5ed35b573bd4969770dc8d845de1a3fdc834e7fa5ce98bbc1355b9797acd7ba3e2676d2019e1ea1fcdf8b5481ef7b
SSDEEP

49152:PRGqZwl190Zh2FotehTNa63fQfslf8j/:U0Zh2qtehQF

Score

6^/10

spyware

Malware Config

Signatures

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 2672	1508	84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe	55

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe
2672	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2672	1508	84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe	55
PID 1508 wrote to memory of 2672	1508	84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe	55
PID 1508 wrote to memory of 2672	1508	84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe	55
PID 1508 wrote to memory of 2672	1508	84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe	55
PID 1508 wrote to memory of 2672	1508	84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe	55
PID 1508 wrote to memory of 2672	1508	84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe	55
PID 1508 wrote to memory of 2672	1508	84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe	55
PID 1508 wrote to memory of 2672	1508	84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe	55
PID 1508 wrote to memory of 2672	1508	84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe	55

C:\Users\Admin\AppData\Local\Temp\84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe
"C:\Users\Admin\AppData\Local\Temp\84630d3a3fce1c6a424a0a13f645fb995cb69c0829c4dde384806d08a6f8e94b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2672-0-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2672-1-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2672-2-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2672-3-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2672-5-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download