Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-01-2024 07:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c3156de49276bfcb908126759ea0f7e.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
General
-
Target
3c3156de49276bfcb908126759ea0f7e.exe
-
Size
1.1MB
-
MD5
3c3156de49276bfcb908126759ea0f7e
-
SHA1
3b580fa227336f11512e592c99040db279352e92
-
SHA256
960a8b99ffcc13827dbf38256c81cf5b8a37e4308b526713445080d2b096fbc0
-
SHA512
429ea2f4bd883144f730223e97085ab2dd646155efb668e446f836337937b9af1c2532ba4b04ce43040b9fbf2f4fe1c68c28fdc4c0b9ba300a396fed79e497b1
-
SSDEEP
24576:3Ia4wNu3SaZYo+51mnW0Lj7oBj3bqoWVomcqBoG:351uCr10j7oBj3mLVlcqBo
Malware Config
Extracted
Family
arkei
C2
185.241.52.252/qRdXmPWvrh.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2516 set thread context of 2808 2516 3c3156de49276bfcb908126759ea0f7e.exe 28 -
Program crash 1 IoCs
pid pid_target Process procid_target 2252 2808 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2516 3c3156de49276bfcb908126759ea0f7e.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2808 2516 3c3156de49276bfcb908126759ea0f7e.exe 28 PID 2516 wrote to memory of 2808 2516 3c3156de49276bfcb908126759ea0f7e.exe 28 PID 2516 wrote to memory of 2808 2516 3c3156de49276bfcb908126759ea0f7e.exe 28 PID 2516 wrote to memory of 2808 2516 3c3156de49276bfcb908126759ea0f7e.exe 28 PID 2516 wrote to memory of 2808 2516 3c3156de49276bfcb908126759ea0f7e.exe 28 PID 2516 wrote to memory of 2808 2516 3c3156de49276bfcb908126759ea0f7e.exe 28 PID 2516 wrote to memory of 2808 2516 3c3156de49276bfcb908126759ea0f7e.exe 28 PID 2516 wrote to memory of 2808 2516 3c3156de49276bfcb908126759ea0f7e.exe 28 PID 2516 wrote to memory of 2808 2516 3c3156de49276bfcb908126759ea0f7e.exe 28 PID 2516 wrote to memory of 2808 2516 3c3156de49276bfcb908126759ea0f7e.exe 28 PID 2808 wrote to memory of 2252 2808 3c3156de49276bfcb908126759ea0f7e.exe 33 PID 2808 wrote to memory of 2252 2808 3c3156de49276bfcb908126759ea0f7e.exe 33 PID 2808 wrote to memory of 2252 2808 3c3156de49276bfcb908126759ea0f7e.exe 33 PID 2808 wrote to memory of 2252 2808 3c3156de49276bfcb908126759ea0f7e.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 6523⤵
- Program crash
PID:2252
-
-