22029c11d18b6a2305e35adbace4418ae826ea6370a34b2ebe5f9f07f143a366

Analysis

max time kernel
145s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 12:25

Target

6e5030969e4c6caf78be4706858f207a.exe
Size

1.0MB
MD5

6e5030969e4c6caf78be4706858f207a
SHA1

551309895af3493dd169231a959fad375dc6ce55
SHA256

22029c11d18b6a2305e35adbace4418ae826ea6370a34b2ebe5f9f07f143a366
SHA512

05b7f555493c3cf2e970d99ce49d75a3c3b80738d55e5800aeb262476561dff178da06108b6496c8218760ce549ba2d6b2a2bcb61552c3ba0bb587939d2db6fc
SSDEEP

12288:m9cnu4Rfl55oUIJM8jo8F7ZPjQZpodiRQYTaMWMJMsgivxl5+bpNs:CcnuktIJM8jjtjMoo+MXJMsgir5+Hs

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2428	6e5030969e4c6caf78be4706858f207a.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28
PID 2472 wrote to memory of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28
PID 2472 wrote to memory of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28
PID 2472 wrote to memory of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28
PID 2472 wrote to memory of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28
PID 2472 wrote to memory of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28
PID 2472 wrote to memory of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28
PID 2472 wrote to memory of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28
PID 2472 wrote to memory of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28
PID 2472 wrote to memory of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28
PID 2472 wrote to memory of 2428	2472	6e5030969e4c6caf78be4706858f207a.exe	28

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/2428-0-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2428-2-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2428-4-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2428-16-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2428-19-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2428-18-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2428-14-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2428-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2428-10-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2428-8-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2428-6-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2428-20-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download