ffa46d05a9fec492b5143056913bf160730555b2450d1233ef59028c1ecc2e9d

Analysis

max time kernel
64s
max time network
176s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 09:43

Target

13Vh687.exe
Size

631KB
MD5

bee83a24e0cead2469a7dfce5df9b708
SHA1

acc67aa1243abef2832f3f3d80a63e2124d2fa5d
SHA256

ffa46d05a9fec492b5143056913bf160730555b2450d1233ef59028c1ecc2e9d
SHA512

6b98b065fb13030f43a1ccb221fa4b1a0ff3c5bf4db5179485f4181e716cce8a739cebe05c4c4fe976ee173b5564d2083c315ae207427b46af051a990c53540e
SSDEEP

12288:E/RENoJ5jcOl0ekRQbFUXdy5pdijBOneGzbDB33cKxGmumm7Ud3:EJGY0ekRQm2poIeGzB33cwBu3U

Score

6^/10

spyware

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 380	1300	13Vh687.exe	72

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
380	AppLaunch.exe
380	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 380	1300	13Vh687.exe	72
PID 1300 wrote to memory of 380	1300	13Vh687.exe	72
PID 1300 wrote to memory of 380	1300	13Vh687.exe	72
PID 1300 wrote to memory of 380	1300	13Vh687.exe	72
PID 1300 wrote to memory of 380	1300	13Vh687.exe	72
PID 1300 wrote to memory of 380	1300	13Vh687.exe	72
PID 1300 wrote to memory of 380	1300	13Vh687.exe	72
PID 1300 wrote to memory of 380	1300	13Vh687.exe	72
PID 1300 wrote to memory of 380	1300	13Vh687.exe	72

C:\Users\Admin\AppData\Local\Temp\13Vh687.exe
"C:\Users\Admin\AppData\Local\Temp\13Vh687.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:380

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/380-0-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/380-1-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/380-2-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/380-3-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/380-4-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download