c2c2d2f8153ffade74c03bee326711a603e1dd8de071b5b0ab63e40fd1d40a2f

Analysis

max time kernel
127s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 05:21

Target

173d9aaaa9a62a689354ab9fc47c051e.exe
Size

14.3MB
MD5

173d9aaaa9a62a689354ab9fc47c051e
SHA1

5adc6972ca669eba979982b88db216b4d11a264b
SHA256

c2c2d2f8153ffade74c03bee326711a603e1dd8de071b5b0ab63e40fd1d40a2f
SHA512

b088a289a5e9212e748c1c47c70ab414515893aff857b9e1baf797d6e7d36baeb164d40eb822e3908bf7d6b5c77d1db188a61cdf524dc8fa9b52db4166a743fc
SSDEEP

98304:8qNld11RlyRzM7hNNxFk9kBCxBA7llFlaDyjClzmEmoGBc0jxozQ:8/J27F4A7eDykmoGqhzQ

Score

6^/10

spyware

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1216 set thread context of 1512	1216	173d9aaaa9a62a689354ab9fc47c051e.exe	94

Suspicious behavior: EnumeratesProcesses 22 IoCs

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1512	1216	173d9aaaa9a62a689354ab9fc47c051e.exe	94
PID 1216 wrote to memory of 1512	1216	173d9aaaa9a62a689354ab9fc47c051e.exe	94
PID 1216 wrote to memory of 1512	1216	173d9aaaa9a62a689354ab9fc47c051e.exe	94
PID 1216 wrote to memory of 1512	1216	173d9aaaa9a62a689354ab9fc47c051e.exe	94
PID 1216 wrote to memory of 1512	1216	173d9aaaa9a62a689354ab9fc47c051e.exe	94

C:\Users\Admin\AppData\Local\Temp\173d9aaaa9a62a689354ab9fc47c051e.exe
"C:\Users\Admin\AppData\Local\Temp\173d9aaaa9a62a689354ab9fc47c051e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1512

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1216-5-0x00007FF63BE20000-0x00007FF63CCEA000-memory.dmp

Filesize
14.8MB

Download
memory/1512-4-0x0000000001000000-0x0000000001083000-memory.dmp

Filesize
524KB

Download
memory/1512-6-0x0000000001000000-0x0000000001083000-memory.dmp

Filesize
524KB

Download
memory/1512-7-0x0000000001000000-0x0000000001083000-memory.dmp

Filesize
524KB

Download
memory/1512-9-0x0000000001000000-0x0000000001083000-memory.dmp

Filesize
524KB

Download