Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 06:17
Static task
static1
Behavioral task
behavioral1
Sample
10dcb92c13a6a588fab47ca57141a447.exe
Resource
win7-20231215-en
General
-
Target
10dcb92c13a6a588fab47ca57141a447.exe
-
Size
216KB
-
MD5
10dcb92c13a6a588fab47ca57141a447
-
SHA1
f28d4a99c744703efa22787a4c7f04b18a265d87
-
SHA256
cbc0d227773e7f5a97e3c4486244738dbeaceac6cc71fd78f03efbac2310bb68
-
SHA512
e57f6d61969cf23cc0b57629386ca2441b2c7809e45b3b6184d3246b3bcd063155ff823aa1be7ced104e859825a7756b459f21e8e28197341525a118fef0c2ed
-
SSDEEP
3072:AkTVlvEiEnYLoH1Eoj6bVgmEUVtWW7RJbBTSwVv4PJxoBOmxKSfxuTbpVuVlJUMB:AfrQsmojABJVtWkJtpVv4RxoEY5yp1Q
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2508 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10dcb92c13a6a588fab47ca57141a447.execmd.exedescription pid process target process PID 1432 wrote to memory of 2508 1432 10dcb92c13a6a588fab47ca57141a447.exe cmd.exe PID 1432 wrote to memory of 2508 1432 10dcb92c13a6a588fab47ca57141a447.exe cmd.exe PID 1432 wrote to memory of 2508 1432 10dcb92c13a6a588fab47ca57141a447.exe cmd.exe PID 1432 wrote to memory of 2508 1432 10dcb92c13a6a588fab47ca57141a447.exe cmd.exe PID 2508 wrote to memory of 2660 2508 cmd.exe attrib.exe PID 2508 wrote to memory of 2660 2508 cmd.exe attrib.exe PID 2508 wrote to memory of 2660 2508 cmd.exe attrib.exe PID 2508 wrote to memory of 2660 2508 cmd.exe attrib.exe PID 2508 wrote to memory of 2184 2508 cmd.exe attrib.exe PID 2508 wrote to memory of 2184 2508 cmd.exe attrib.exe PID 2508 wrote to memory of 2184 2508 cmd.exe attrib.exe PID 2508 wrote to memory of 2184 2508 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2660 attrib.exe 2184 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10dcb92c13a6a588fab47ca57141a447.exe"C:\Users\Admin\AppData\Local\Temp\10dcb92c13a6a588fab47ca57141a447.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MACROM~1\FLASHP~1\#SHARE~1\HNXMTQXM\2E51TM~1.BAT2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\10dcb92c13a6a588fab47ca57141a447.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\HNXMTQXM\2E51.tmp.bat"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MACROM~1\FLASHP~1\#SHARE~1\HNXMTQXM\2E51.tmp.batFilesize
500B
MD52e659cec12d1180cea8bd07cd50eb9d1
SHA1ccda32488f524aed9f836d3e4b40041a032c466c
SHA2568426c4b61747d62655506ca537af5ebee19a9d3cb06d2791e83b544f8538bbbd
SHA5124a3f1eb23b0af92ad35330bbc43109ba97a48c558ffe5c84b082c8d0bab75d3379d590980c3005fa47fad7b9ce3769c189f5a630441f358e8da239664140d425
-
memory/1432-1-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1432-3-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1432-0-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB