Analysis
-
max time kernel
187s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2024 07:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c3156de49276bfcb908126759ea0f7e.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
General
-
Target
3c3156de49276bfcb908126759ea0f7e.exe
-
Size
1.1MB
-
MD5
3c3156de49276bfcb908126759ea0f7e
-
SHA1
3b580fa227336f11512e592c99040db279352e92
-
SHA256
960a8b99ffcc13827dbf38256c81cf5b8a37e4308b526713445080d2b096fbc0
-
SHA512
429ea2f4bd883144f730223e97085ab2dd646155efb668e446f836337937b9af1c2532ba4b04ce43040b9fbf2f4fe1c68c28fdc4c0b9ba300a396fed79e497b1
-
SSDEEP
24576:3Ia4wNu3SaZYo+51mnW0Lj7oBj3bqoWVomcqBoG:351uCr10j7oBj3mLVlcqBo
Malware Config
Extracted
Family
arkei
C2
185.241.52.252/qRdXmPWvrh.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2908 set thread context of 3064 2908 3c3156de49276bfcb908126759ea0f7e.exe 104 -
Program crash 1 IoCs
pid pid_target Process procid_target 4796 3064 WerFault.exe 104 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2908 3c3156de49276bfcb908126759ea0f7e.exe 2908 3c3156de49276bfcb908126759ea0f7e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2908 3c3156de49276bfcb908126759ea0f7e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2100 2908 3c3156de49276bfcb908126759ea0f7e.exe 103 PID 2908 wrote to memory of 2100 2908 3c3156de49276bfcb908126759ea0f7e.exe 103 PID 2908 wrote to memory of 2100 2908 3c3156de49276bfcb908126759ea0f7e.exe 103 PID 2908 wrote to memory of 3064 2908 3c3156de49276bfcb908126759ea0f7e.exe 104 PID 2908 wrote to memory of 3064 2908 3c3156de49276bfcb908126759ea0f7e.exe 104 PID 2908 wrote to memory of 3064 2908 3c3156de49276bfcb908126759ea0f7e.exe 104 PID 2908 wrote to memory of 3064 2908 3c3156de49276bfcb908126759ea0f7e.exe 104 PID 2908 wrote to memory of 3064 2908 3c3156de49276bfcb908126759ea0f7e.exe 104 PID 2908 wrote to memory of 3064 2908 3c3156de49276bfcb908126759ea0f7e.exe 104 PID 2908 wrote to memory of 3064 2908 3c3156de49276bfcb908126759ea0f7e.exe 104 PID 2908 wrote to memory of 3064 2908 3c3156de49276bfcb908126759ea0f7e.exe 104 PID 2908 wrote to memory of 3064 2908 3c3156de49276bfcb908126759ea0f7e.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"2⤵PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"2⤵PID:3064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 12603⤵
- Program crash
PID:4796
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3064 -ip 30641⤵PID:4644