e662d7869dc51b5a75af09fa29327a30fa3a18b388d9c4ca8b425e9884cf14f2

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08af350036c437cf4c25db00c0b6b267.exe
Size

232KB
MD5

08af350036c437cf4c25db00c0b6b267
SHA1

5a1a6e24e59eaab9af037451b53c9a02a153c9e0
SHA256

e662d7869dc51b5a75af09fa29327a30fa3a18b388d9c4ca8b425e9884cf14f2
SHA512

d0cf3a0f99088dfeb34c923b34bea8febddf551fff01634e22e67f6302a1b15b0c2ecbb4ff92ac21bb22e306262159f91691e722f975070b3b88eda4ea88235d
SSDEEP

6144:bZfaGHXxGkvWFvGQ2+8RifCh60unTBY2U4Q:5aCWN2XifChvunTbU

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	08af350036c437cf4c25db00c0b6b267.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2088	2040	08af350036c437cf4c25db00c0b6b267.exe	28
PID 2040 wrote to memory of 2088	2040	08af350036c437cf4c25db00c0b6b267.exe	28
PID 2040 wrote to memory of 2088	2040	08af350036c437cf4c25db00c0b6b267.exe	28
PID 2040 wrote to memory of 2088	2040	08af350036c437cf4c25db00c0b6b267.exe	28
PID 2040 wrote to memory of 2988	2040	08af350036c437cf4c25db00c0b6b267.exe	30
PID 2040 wrote to memory of 2988	2040	08af350036c437cf4c25db00c0b6b267.exe	30
PID 2040 wrote to memory of 2988	2040	08af350036c437cf4c25db00c0b6b267.exe	30
PID 2040 wrote to memory of 2988	2040	08af350036c437cf4c25db00c0b6b267.exe	30

C:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exe
"C:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exe
  C:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exe
  C:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6F22.FDD

Filesize
600B

MD5
5fa6d8962a0648dee34249b9c882922a

SHA1
1532583480f8d1abc8112707c03fa4e07041aca9

SHA256
e977758da5d5446d09ce4246d48e1c1f6b896d9075c0f9aa77b803920ded9cf9

SHA512
db8fd1dd13af8ee5b57d25b950747709f0b4254d787781843ea4e4560294ec70f81bf96b06a0b8cb8ca3948adc282eb707f3a621cc0822fa50988a654e248edb

Download Submit
C:\Users\Admin\AppData\Roaming\6F22.FDD

Filesize
1KB

MD5
100aaf3c4086be1204e3aa89438d4ff4

SHA1
fcc0d9536c8cf09c3630b63f02dedd4d3a15b8b7

SHA256
bdae06562875e8634765bb9f98bc46536974bc1e35e1487a408ed62c8e0c0af7

SHA512
4db32938741b7d244367fb5d4b7340f4a429156ed385f183e2183c3c78d73b17135fc9bca8aa3e5b70a955782b3513ebaaadbb562f5affc3bc82aaa64fabf9e3

Download Submit
C:\Users\Admin\AppData\Roaming\6F22.FDD

Filesize
996B

MD5
b80eee1ec6102dc3927c3a56b1f014e5

SHA1
360fe97acca6a9803491a221187817904ad41429

SHA256
4ad6e7c4dadad8021b887d1db4fe61fcb7fbb078f23a370ef58485ddca3a3ea5

SHA512
6cb0707dc64f93ac5d1d37b61c2176da3f1353e33ab92617ef74b19d0648654e7c62ce642f2285d1fe42094b9d3fca8076f63f077818ba6ca48eb6ca9e30d401

Download Submit
memory/2040-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads