cbc0d227773e7f5a97e3c4486244738dbeaceac6cc71fd78f03efbac2310bb68

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10dcb92c13a6a588fab47ca57141a447.exe
Size

216KB
MD5

10dcb92c13a6a588fab47ca57141a447
SHA1

f28d4a99c744703efa22787a4c7f04b18a265d87
SHA256

cbc0d227773e7f5a97e3c4486244738dbeaceac6cc71fd78f03efbac2310bb68
SHA512

e57f6d61969cf23cc0b57629386ca2441b2c7809e45b3b6184d3246b3bcd063155ff823aa1be7ced104e859825a7756b459f21e8e28197341525a118fef0c2ed
SSDEEP

3072:AkTVlvEiEnYLoH1Eoj6bVgmEUVtWW7RJbBTSwVv4PJxoBOmxKSfxuTbpVuVlJUMB:AfrQsmojABJVtWkJtpVv4RxoEY5yp1Q

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2508 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2508	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

10dcb92c13a6a588fab47ca57141a447.execmd.exe

description	pid	process	target process
PID 1432 wrote to memory of 2508	1432	10dcb92c13a6a588fab47ca57141a447.exe	cmd.exe
PID 1432 wrote to memory of 2508	1432	10dcb92c13a6a588fab47ca57141a447.exe	cmd.exe
PID 1432 wrote to memory of 2508	1432	10dcb92c13a6a588fab47ca57141a447.exe	cmd.exe
PID 1432 wrote to memory of 2508	1432	10dcb92c13a6a588fab47ca57141a447.exe	cmd.exe
PID 2508 wrote to memory of 2660	2508	cmd.exe	attrib.exe
PID 2508 wrote to memory of 2660	2508	cmd.exe	attrib.exe
PID 2508 wrote to memory of 2660	2508	cmd.exe	attrib.exe
PID 2508 wrote to memory of 2660	2508	cmd.exe	attrib.exe
PID 2508 wrote to memory of 2184	2508	cmd.exe	attrib.exe
PID 2508 wrote to memory of 2184	2508	cmd.exe	attrib.exe
PID 2508 wrote to memory of 2184	2508	cmd.exe	attrib.exe
PID 2508 wrote to memory of 2184	2508	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2660 attrib.exe
2184 attrib.exe

pid	process
2660	attrib.exe
2184	attrib.exe

C:\Users\Admin\AppData\Local\Temp\10dcb92c13a6a588fab47ca57141a447.exe
"C:\Users\Admin\AppData\Local\Temp\10dcb92c13a6a588fab47ca57141a447.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MACROM~1\FLASHP~1\#SHARE~1\HNXMTQXM\2E51TM~1.BAT
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\attrib.exe
attrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\10dcb92c13a6a588fab47ca57141a447.exe"
3⤵
- Views/modifies file attributes
PID:2660

C:\Windows\SysWOW64\attrib.exe
attrib -R -S -H "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\HNXMTQXM\2E51.tmp.bat"
3⤵
- Views/modifies file attributes
PID:2184

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MACROM~1\FLASHP~1\#SHARE~1\HNXMTQXM\2E51.tmp.bat
Filesize
500B

MD5
2e659cec12d1180cea8bd07cd50eb9d1

SHA1
ccda32488f524aed9f836d3e4b40041a032c466c

SHA256
8426c4b61747d62655506ca537af5ebee19a9d3cb06d2791e83b544f8538bbbd

SHA512
4a3f1eb23b0af92ad35330bbc43109ba97a48c558ffe5c84b082c8d0bab75d3379d590980c3005fa47fad7b9ce3769c189f5a630441f358e8da239664140d425

Download Submit
memory/1432-1-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1432-3-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1432-0-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download