Analysis
-
max time kernel
148s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 06:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
10dcb92c13a6a588fab47ca57141a447.exe
Resource
win7-20231215-en
windows7-x64
4 signatures
150 seconds
General
-
Target
10dcb92c13a6a588fab47ca57141a447.exe
-
Size
216KB
-
MD5
10dcb92c13a6a588fab47ca57141a447
-
SHA1
f28d4a99c744703efa22787a4c7f04b18a265d87
-
SHA256
cbc0d227773e7f5a97e3c4486244738dbeaceac6cc71fd78f03efbac2310bb68
-
SHA512
e57f6d61969cf23cc0b57629386ca2441b2c7809e45b3b6184d3246b3bcd063155ff823aa1be7ced104e859825a7756b459f21e8e28197341525a118fef0c2ed
-
SSDEEP
3072:AkTVlvEiEnYLoH1Eoj6bVgmEUVtWW7RJbBTSwVv4PJxoBOmxKSfxuTbpVuVlJUMB:AfrQsmojABJVtWkJtpVv4RxoEY5yp1Q
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10dcb92c13a6a588fab47ca57141a447.execmd.exedescription pid process target process PID 4644 wrote to memory of 508 4644 10dcb92c13a6a588fab47ca57141a447.exe cmd.exe PID 4644 wrote to memory of 508 4644 10dcb92c13a6a588fab47ca57141a447.exe cmd.exe PID 4644 wrote to memory of 508 4644 10dcb92c13a6a588fab47ca57141a447.exe cmd.exe PID 508 wrote to memory of 1088 508 cmd.exe attrib.exe PID 508 wrote to memory of 1088 508 cmd.exe attrib.exe PID 508 wrote to memory of 1088 508 cmd.exe attrib.exe PID 508 wrote to memory of 2220 508 cmd.exe attrib.exe PID 508 wrote to memory of 2220 508 cmd.exe attrib.exe PID 508 wrote to memory of 2220 508 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1088 attrib.exe 2220 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10dcb92c13a6a588fab47ca57141a447.exe"C:\Users\Admin\AppData\Local\Temp\10dcb92c13a6a588fab47ca57141a447.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\703ETM~1.BAT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\10dcb92c13a6a588fab47ca57141a447.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\703E.tmp.bat"3⤵
- Views/modifies file attributes