Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09-01-2024 13:11
Static task
static1
Behavioral task
behavioral1
Sample
4e638d78cadb79f3fcaa1e3969b6ba54.exe
Resource
win7-20231215-en
General
-
Target
4e638d78cadb79f3fcaa1e3969b6ba54.exe
-
Size
224KB
-
MD5
4e638d78cadb79f3fcaa1e3969b6ba54
-
SHA1
11b3b062703271561d9f07d00721129e7dc11d9d
-
SHA256
4fca355ee4e0c0c7c0597b4b6d2458d48abf46058aa861669437c3d20a314c78
-
SHA512
31fd8b9976a9eaf6c41cd8fef3d8e5febc9e77a5a4c4a0e23bb9b6639734e51bd985f32d1bbc1342c3f10887eafbe1839319931edd13233faf07b08eebe2c5d7
-
SSDEEP
3072:MN65bDzlF0rbwEa2MRSgRxGyZZmVExK9TkAa0ddtGrXZuCTychO+M8TW0U:M8pfEa2c9xGyE9TkudzsZuC2chBTW0U
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2336 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4e638d78cadb79f3fcaa1e3969b6ba54.execmd.exedescription pid process target process PID 1784 wrote to memory of 2336 1784 4e638d78cadb79f3fcaa1e3969b6ba54.exe cmd.exe PID 1784 wrote to memory of 2336 1784 4e638d78cadb79f3fcaa1e3969b6ba54.exe cmd.exe PID 1784 wrote to memory of 2336 1784 4e638d78cadb79f3fcaa1e3969b6ba54.exe cmd.exe PID 1784 wrote to memory of 2336 1784 4e638d78cadb79f3fcaa1e3969b6ba54.exe cmd.exe PID 2336 wrote to memory of 2692 2336 cmd.exe attrib.exe PID 2336 wrote to memory of 2692 2336 cmd.exe attrib.exe PID 2336 wrote to memory of 2692 2336 cmd.exe attrib.exe PID 2336 wrote to memory of 2692 2336 cmd.exe attrib.exe PID 2336 wrote to memory of 2756 2336 cmd.exe attrib.exe PID 2336 wrote to memory of 2756 2336 cmd.exe attrib.exe PID 2336 wrote to memory of 2756 2336 cmd.exe attrib.exe PID 2336 wrote to memory of 2756 2336 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2692 attrib.exe 2756 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e638d78cadb79f3fcaa1e3969b6ba54.exe"C:\Users\Admin\AppData\Local\Temp\4e638d78cadb79f3fcaa1e3969b6ba54.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MACROM~1\FLASHP~1\#SHARE~1\F34CSJ5B\7C13TM~1.BAT2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\4e638d78cadb79f3fcaa1e3969b6ba54.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\F34CSJ5B\7C13.tmp.bat"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MACROM~1\FLASHP~1\#SHARE~1\F34CSJ5B\7C13.tmp.batFilesize
500B
MD5bfc0342fe983427049700329529a0d51
SHA1dad87034d0713ed233a6cc8388bebb04a687a44b
SHA256838b8e44a7e2d6780631d3be97ad5840751623d57dab2c54553ea98807e72014
SHA5121819474935db49e7fa8b9ebaa999adef40ff95dcebddf6820dbb3c78df5da82930582b30a70e93ea49046e9e4ca69f9bb78fc9f440ce1292746031f1de3c77f8
-
memory/1784-2-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1784-1-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1784-4-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB