Analysis
-
max time kernel
143s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/01/2024, 14:38
Static task
static1
Behavioral task
behavioral1
Sample
2b1432ef93e6466c27d4ac59028ee254.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2b1432ef93e6466c27d4ac59028ee254.exe
Resource
win10v2004-20231215-en
General
-
Target
2b1432ef93e6466c27d4ac59028ee254.exe
-
Size
165KB
-
MD5
2b1432ef93e6466c27d4ac59028ee254
-
SHA1
e7a68440a69e99033e6ba2ca9fa19ab931584c28
-
SHA256
a5574d4791492293674dddbb259309a2cdb24471103484a0882f3c076a7cc1ef
-
SHA512
c694cf1b9cc2ad6bcbbad4cacc7bd2d94cf49231bde87ff47688c5bcc758f31fd458df01cb3fb4c569932d8c25246e0f60584090a162d888e59b6841ee0e38a5
-
SSDEEP
3072:aAWT36du5VmyT4gLHz7iFm6Y+HD6I4Ich4yqiDQkfnoFa4uX2:avr6du5VrTfznLgJiXvTf4aP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\3A4AB\\91D95.exe" 2b1432ef93e6466c27d4ac59028ee254.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2968-2-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2732-14-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2968-17-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2968-131-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/1900-132-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2968-262-0x0000000000400000-0x0000000000490000-memory.dmp upx -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2732 2968 2b1432ef93e6466c27d4ac59028ee254.exe 28 PID 2968 wrote to memory of 2732 2968 2b1432ef93e6466c27d4ac59028ee254.exe 28 PID 2968 wrote to memory of 2732 2968 2b1432ef93e6466c27d4ac59028ee254.exe 28 PID 2968 wrote to memory of 2732 2968 2b1432ef93e6466c27d4ac59028ee254.exe 28 PID 2968 wrote to memory of 1900 2968 2b1432ef93e6466c27d4ac59028ee254.exe 30 PID 2968 wrote to memory of 1900 2968 2b1432ef93e6466c27d4ac59028ee254.exe 30 PID 2968 wrote to memory of 1900 2968 2b1432ef93e6466c27d4ac59028ee254.exe 30 PID 2968 wrote to memory of 1900 2968 2b1432ef93e6466c27d4ac59028ee254.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exe"C:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exeC:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exe startC:\Program Files (x86)\LP\9563\D9A.exe%C:\Program Files (x86)\LP\95632⤵PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exeC:\Users\Admin\AppData\Local\Temp\2b1432ef93e6466c27d4ac59028ee254.exe startC:\Program Files (x86)\AB5DA\lvvm.exe%C:\Program Files (x86)\AB5DA2⤵PID:1900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5da98c6c6f47ee6604164f90f9c01d19a
SHA111b42cfe5b9ccdb8e19743838cb2ba125a8081dd
SHA256ee589b65892e452191ffef193c909680e6b67ccd4cd9bfee0e4f2e6ddba79a2e
SHA512a93e053c989733cedba3f7435db5592b5953140b603f1c18fbb199d9c8488b4ea8ddb9af3cd696005519c79180ef5d8026b3a1738110c04c549faf653f146752
-
Filesize
600B
MD52464bbaa0478cbeff78d8eaef10e41aa
SHA1a6751afe01cf70ffc0602ba582e9e31821c82eeb
SHA256ebbbf432082e1ea0d2d6054ddda8137af2334575af0dc7e37293a4d037eca0ae
SHA512e8e7edfff501c9824e6e2a0f3de36db9e3a2e919df57aaf0943e0ea7a67e62e5f9de8382c1c30bd0ef37a31c997731c19b241eda18de41c0a9ccf861ca38bf4a
-
Filesize
1KB
MD5945f0e1fc486aed85c5af159d3fdf7da
SHA1103df552e8cee5aec6a86d888d013ee459c293ca
SHA256a41484772fb9117cd068d95a53d615255d0c85e19dab026c374b18b42e5977cb
SHA512fb2ce4071ca9fff89ac12ba6339ff5c64036fd163d63d9d19e9bc60df53030ed86bdd2ac90e03670ba24b7de5783ca4513676b48d64eca85d80acb747e39d0d9