1cc7feaee823df0807c49341b9f4f0e58a4c021e8bc974af7bf5eb02fe09731e

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-09-2023 16:06

Target

18bd6b80c064ecf021bff737c2f48ec4.exe
Size

690KB
MD5

18bd6b80c064ecf021bff737c2f48ec4
SHA1

7388f3d30f22b27243b6851f702189757cd29f06
SHA256

1cc7feaee823df0807c49341b9f4f0e58a4c021e8bc974af7bf5eb02fe09731e
SHA512

38dbc23989af37132a2f3bf462ed2c8591b3018fa96faf20a11d308e6bd820700ef456929ec338efd542ccf69d78ab36fbc2d76eeacfd09ac5cbc401e4d4d977
SSDEEP

12288:mA+lX8n+122WJVjgF/tCZqqe+OK+EkJrMo8CquJCLv2v30N1sb1:M/An0F0DhmJF8g30N1sZ

Score

6^/10

spyware

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3020 set thread context of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29

Suspicious behavior: EnumeratesProcesses 10 IoCs

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29
PID 3020 wrote to memory of 2848	3020	18bd6b80c064ecf021bff737c2f48ec4.exe	29

C:\Users\Admin\AppData\Local\Temp\18bd6b80c064ecf021bff737c2f48ec4.exe
"C:\Users\Admin\AppData\Local\Temp\18bd6b80c064ecf021bff737c2f48ec4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2848

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/2848-1-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2848-2-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2848-0-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2848-4-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2848-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2848-9-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2848-6-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2848-11-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2848-13-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download