b842080ef401cb64de4b9c7d823ef60b0ed4f4bbd42431fbf26db940ece9f4f1

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 10:41

Target

b9abc1d13b8acc62899c1b6ca1780641.exe
Size

1.4MB
MD5

b9abc1d13b8acc62899c1b6ca1780641
SHA1

5dc010e2102098bd8b173d99dff3ffbb731967cf
SHA256

b842080ef401cb64de4b9c7d823ef60b0ed4f4bbd42431fbf26db940ece9f4f1
SHA512

58f452cdbfc7a7253fd2b99a230f187ff2d4d615eeac811d6878263722f563d9d1556ee0ef41df922ecb577bdd0385e11621d4ce82811f864f6dbca9a1b070c1
SSDEEP

24576:gBHHAmBQmcrj5alRdllZCVoVURXm5JwhjyBtyC6Nv1VqndqUhqat7meX1KI15ZNl:4crj5apllUlR25Jwhj0ty7NqnUUhqatR

Score

6^/10

spyware

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28

Suspicious behavior: EnumeratesProcesses 55 IoCs

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28
PID 2356 wrote to memory of 1084	2356	b9abc1d13b8acc62899c1b6ca1780641.exe	28

C:\Users\Admin\AppData\Local\Temp\b9abc1d13b8acc62899c1b6ca1780641.exe
"C:\Users\Admin\AppData\Local\Temp\b9abc1d13b8acc62899c1b6ca1780641.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1084

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1084-0-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1084-2-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1084-5-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1084-4-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1084-6-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1084-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1084-8-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1084-10-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1084-12-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1084-13-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1084-14-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1084-15-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download