Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:22
Behavioral task
behavioral1
Sample
74f5550fe4a304944f614d859e3e7004.exe
Resource
win7-20231215-en
General
-
Target
74f5550fe4a304944f614d859e3e7004.exe
-
Size
250KB
-
MD5
74f5550fe4a304944f614d859e3e7004
-
SHA1
b53a9617b8e00dabbcb10f7592201f09f8828897
-
SHA256
b97c99f271cb2d218762fe38061ac11774f5135d95bf8945e4d45dbd60e69d57
-
SHA512
5c7acdbb3c4ef6435d60b4026ca751ed58c074cb9d1edee08e6d8a53d3611b14cd8f3a7eda798e924bc4f9f73438120ae55749fa21d058de37ff127ef898d258
-
SSDEEP
6144:BJeIKwbHlRIVao7OtIgV9cwfyGBaPihEiWg8jnCV7pQVRp+mfsg6:zNLIVao7XgV9cwfboiui7uCV7eRpp56
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
3.exepid process 2468 3.exe -
Loads dropped DLL 2 IoCs
Processes:
74f5550fe4a304944f614d859e3e7004.exepid process 828 74f5550fe4a304944f614d859e3e7004.exe 828 74f5550fe4a304944f614d859e3e7004.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/828-0-0x0000000000400000-0x00000000004B2000-memory.dmp upx behavioral1/memory/828-12-0x0000000000400000-0x00000000004B2000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
74f5550fe4a304944f614d859e3e7004.exedescription pid process target process PID 828 wrote to memory of 2468 828 74f5550fe4a304944f614d859e3e7004.exe 3.exe PID 828 wrote to memory of 2468 828 74f5550fe4a304944f614d859e3e7004.exe 3.exe PID 828 wrote to memory of 2468 828 74f5550fe4a304944f614d859e3e7004.exe 3.exe PID 828 wrote to memory of 2468 828 74f5550fe4a304944f614d859e3e7004.exe 3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f5550fe4a304944f614d859e3e7004.exe"C:\Users\Admin\AppData\Local\Temp\74f5550fe4a304944f614d859e3e7004.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Roaming\3.exe"C:\Users\Admin\AppData\Roaming\3.exe"2⤵
- Executes dropped EXE
PID:2468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\3.exeFilesize
64KB
MD50cdd88da0518baa38dbc64cdf0d58d3b
SHA1a2cf28a9887e8f8f470726336393facd4d1692a3
SHA256e54fb011fe1c603f5951b87252ae2fa31a44cd109b49ded765eeacf14232c32c
SHA5123f81d3343c42c79218270fd5b6ad0c93a0df36fe6d6e3f30fdeb336296ea6278bc9dd3562bd2efd0f8dfc32448b6090af15c69a9537ccd7d07f1ad9c0272c4a7
-
C:\Users\Admin\AppData\Roaming\3.exeFilesize
190KB
MD57503edeaf4d14bc163816dba96e4ac84
SHA18f7dd9410172735d2f80b342bf58cd2591bc8867
SHA2562b5a469bd682378651b1c097864b67bfba6c0db81621c129b96bbfc1d761216b
SHA512b8a8f8859e46c80f9301bcb9290d260ce03ff7550044c4ad9e096dd55606acf058a57d326f36a22a5038fca94f17265384e4478a9bb29202b804e52463d2e552
-
\Users\Admin\AppData\Roaming\3.exeFilesize
344KB
MD53dc0297d7b73ebd1e539bf0a9c2683d5
SHA1656ab0f04c78535abf603a406ab1669af4896f78
SHA25622c43e3be6002557aa21246fccfc551f34e5d8c661cd43bfcf01e07d1d624537
SHA512ee76a5fde06f9038d7dc6f850291c7ac80765bc4e0f07ec171a50452d7dc8b97679808db120473b3ff87146fe6cbb0d274d89aadd8524513b6673eb0d80edf3e
-
memory/828-0-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/828-12-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB