Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2024 13:11
Static task
static1
Behavioral task
behavioral1
Sample
4e638d78cadb79f3fcaa1e3969b6ba54.exe
Resource
win7-20231215-en
General
-
Target
4e638d78cadb79f3fcaa1e3969b6ba54.exe
-
Size
224KB
-
MD5
4e638d78cadb79f3fcaa1e3969b6ba54
-
SHA1
11b3b062703271561d9f07d00721129e7dc11d9d
-
SHA256
4fca355ee4e0c0c7c0597b4b6d2458d48abf46058aa861669437c3d20a314c78
-
SHA512
31fd8b9976a9eaf6c41cd8fef3d8e5febc9e77a5a4c4a0e23bb9b6639734e51bd985f32d1bbc1342c3f10887eafbe1839319931edd13233faf07b08eebe2c5d7
-
SSDEEP
3072:MN65bDzlF0rbwEa2MRSgRxGyZZmVExK9TkAa0ddtGrXZuCTychO+M8TW0U:M8pfEa2c9xGyE9TkudzsZuC2chBTW0U
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
4e638d78cadb79f3fcaa1e3969b6ba54.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\44F8.tmp.bat 4e638d78cadb79f3fcaa1e3969b6ba54.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\44F8.tmp.bat attrib.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4e638d78cadb79f3fcaa1e3969b6ba54.execmd.exedescription pid process target process PID 1040 wrote to memory of 1224 1040 4e638d78cadb79f3fcaa1e3969b6ba54.exe cmd.exe PID 1040 wrote to memory of 1224 1040 4e638d78cadb79f3fcaa1e3969b6ba54.exe cmd.exe PID 1040 wrote to memory of 1224 1040 4e638d78cadb79f3fcaa1e3969b6ba54.exe cmd.exe PID 1224 wrote to memory of 1300 1224 cmd.exe attrib.exe PID 1224 wrote to memory of 1300 1224 cmd.exe attrib.exe PID 1224 wrote to memory of 1300 1224 cmd.exe attrib.exe PID 1224 wrote to memory of 3040 1224 cmd.exe attrib.exe PID 1224 wrote to memory of 3040 1224 cmd.exe attrib.exe PID 1224 wrote to memory of 3040 1224 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1300 attrib.exe 3040 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e638d78cadb79f3fcaa1e3969b6ba54.exe"C:\Users\Admin\AppData\Local\Temp\4e638d78cadb79f3fcaa1e3969b6ba54.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\Word\STARTUP\44F8TM~1.BAT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\4e638d78cadb79f3fcaa1e3969b6ba54.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\44F8.tmp.bat"3⤵
- Drops startup file
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Word\STARTUP\44F8.tmp.batFilesize
450B
MD5f7d097de698e36c2325ad3bd502484dd
SHA17ef4781f0975c08d23f72abd6d9dda1be15b4d22
SHA2569ee1ab3394d2880d98702f6fdf3edc2f0a64649209c1ee1308f547bf546c5ca9
SHA512d682f011a9cac6bdd17f856d3b35f12f5e2e4d41c446b4c3bde85d029a7e262383828692bef66690089f6cc69a80b4ea516b5984541125bcac39e0bfd9a46eef
-
memory/1040-0-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/1040-2-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB