Analysis
-
max time kernel
149s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-01-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
4988e3e3866338e62c84f79dd9459ab5.exe
Resource
win7-20231215-en
General
-
Target
4988e3e3866338e62c84f79dd9459ab5.exe
-
Size
220KB
-
MD5
4988e3e3866338e62c84f79dd9459ab5
-
SHA1
42a9168b387aff28cf38151406797129d5c00069
-
SHA256
ee714169ef6d0e948444468f74456bda25935205cdad2cee39061579178e9d12
-
SHA512
5dcfb8d2d01e8dc1c7517e827e01da392e78631d710dd9c739d18af3c0c018d910b2cb5c76416bde4ae55a4af9e390bd8d03c1d24893e326c4a167421d3f48aa
-
SSDEEP
6144:t/EBPya0AUqoC1Y4WEeMHVMVNzPzd9sxjpwzMpeJ7BzY:t/Wyh4RJV8NV9gpww8J7RY
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4988e3e3866338e62c84f79dd9459ab5.execmd.exedescription pid process target process PID 3852 wrote to memory of 2872 3852 4988e3e3866338e62c84f79dd9459ab5.exe cmd.exe PID 3852 wrote to memory of 2872 3852 4988e3e3866338e62c84f79dd9459ab5.exe cmd.exe PID 3852 wrote to memory of 2872 3852 4988e3e3866338e62c84f79dd9459ab5.exe cmd.exe PID 2872 wrote to memory of 440 2872 cmd.exe attrib.exe PID 2872 wrote to memory of 440 2872 cmd.exe attrib.exe PID 2872 wrote to memory of 440 2872 cmd.exe attrib.exe PID 2872 wrote to memory of 216 2872 cmd.exe attrib.exe PID 2872 wrote to memory of 216 2872 cmd.exe attrib.exe PID 2872 wrote to memory of 216 2872 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 216 attrib.exe 440 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4988e3e3866338e62c84f79dd9459ab5.exe"C:\Users\Admin\AppData\Local\Temp\4988e3e3866338e62c84f79dd9459ab5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Sun\Java\3D91TM~1.BAT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\4988e3e3866338e62c84f79dd9459ab5.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Sun\Java\3D91.tmp.bat"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Sun\Java\3D91.tmp.batFilesize
422B
MD563dbf74cb9c679fd02470cfe56bff4e0
SHA1f5bf49892dd7d911a75b379579e6ce6eb6901d06
SHA2565f0ebcf43b5a627286fba728b833d34ca89daca3d513cb998bbdeaba335e85f7
SHA512747b0a9f84108222eda9c5e1b952fee1c7df992ed307ae55106b94a2c08476eb837346815fd26511f91fe68696cba011bdf2794a77ef2f6a4cccad73decf736f
-
memory/3852-0-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/3852-1-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3852-3-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB