Analysis
-
max time kernel
145s -
max time network
60s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
08-01-2024 20:59
Behavioral task
behavioral1
Sample
4c7117bd1791444496e061702641b66c.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
General
-
Target
4c7117bd1791444496e061702641b66c.exe
-
Size
912KB
-
MD5
4c7117bd1791444496e061702641b66c
-
SHA1
cc0f4f915633e373d4c594fba5db61e44e4d82a1
-
SHA256
153bb3b528822c9543725e80de5a3c7a3263f60b1495e08d386b57aade237446
-
SHA512
16ab6a578a4ef2da65c409b723a97d7003af0e9c8535f4e7d8a78f303ccd0906adb3dc73b471b0bb7967c877ce330f005d755e406254cb599061d27b3cef99bf
-
SSDEEP
12288:n5jidBzc/kf2gs5VKq2w/Sa+/dxvrAuCmqNe4naobjq6BNhyFRR9HMQHnwU9aD:n5ufuvg//vFePjTB8RR9HMQHn3AD
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4500 setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4720-0-0x0000000000DB0000-0x0000000001063000-memory.dmp upx behavioral2/files/0x0007000000023237-3.dat upx behavioral2/memory/4500-6-0x0000000000970000-0x0000000000C23000-memory.dmp upx behavioral2/memory/4720-5-0x0000000000DB0000-0x0000000001063000-memory.dmp upx behavioral2/memory/4500-7-0x0000000000970000-0x0000000000C23000-memory.dmp upx -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4720 4c7117bd1791444496e061702641b66c.exe 4720 4c7117bd1791444496e061702641b66c.exe 4500 setup.exe 4500 setup.exe 4500 setup.exe 4500 setup.exe 4500 setup.exe 4500 setup.exe 4500 setup.exe 4500 setup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4720 wrote to memory of 4500 4720 4c7117bd1791444496e061702641b66c.exe 19 PID 4720 wrote to memory of 4500 4720 4c7117bd1791444496e061702641b66c.exe 19 PID 4720 wrote to memory of 4500 4720 4c7117bd1791444496e061702641b66c.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c7117bd1791444496e061702641b66c.exe"C:\Users\Admin\AppData\Local\Temp\4c7117bd1791444496e061702641b66c.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\setup.exeC:\Users\Admin\AppData\Local\Temp\setup.exe relaunch2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4500
-