Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
75061c1443020392bb408d05e9e8203e.exe
Resource
win7-20231215-en
General
-
Target
75061c1443020392bb408d05e9e8203e.exe
-
Size
182KB
-
MD5
75061c1443020392bb408d05e9e8203e
-
SHA1
83c5907f824aab2ebb3c76f81f2575fab2eb5eb9
-
SHA256
e0f046188e32e9793108675a8b8e8d389860c12cba5dda1b1d6c3510aa3b0689
-
SHA512
bdf7a7a2fc5a2ae9de2d348273eea84b7c285e971199602586d6e9c1867daaf36bc9217a4cb554452840ea06d06176a61cdfaf344553e29ed3bab8fb771968d3
-
SSDEEP
3072:TB2HmnnGG0yqG3jBOsdrrnPPw98kdW3yiQAkhYnXrHcnqlHYdOgvu5HG:F2GnCA3NlVrPI9AWhYnXr8qlHY3uRG
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1692-1-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral2/memory/2804-12-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral2/memory/2804-14-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral2/memory/2100-70-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral2/memory/1692-71-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral2/memory/1692-73-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral2/memory/1692-139-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral2/memory/1692-172-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral2/memory/1692-174-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral2/memory/1692-188-0x0000000000400000-0x000000000044E000-memory.dmp upx -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
75061c1443020392bb408d05e9e8203e.exedescription pid process target process PID 1692 wrote to memory of 2804 1692 75061c1443020392bb408d05e9e8203e.exe 75061c1443020392bb408d05e9e8203e.exe PID 1692 wrote to memory of 2804 1692 75061c1443020392bb408d05e9e8203e.exe 75061c1443020392bb408d05e9e8203e.exe PID 1692 wrote to memory of 2804 1692 75061c1443020392bb408d05e9e8203e.exe 75061c1443020392bb408d05e9e8203e.exe PID 1692 wrote to memory of 2100 1692 75061c1443020392bb408d05e9e8203e.exe 75061c1443020392bb408d05e9e8203e.exe PID 1692 wrote to memory of 2100 1692 75061c1443020392bb408d05e9e8203e.exe 75061c1443020392bb408d05e9e8203e.exe PID 1692 wrote to memory of 2100 1692 75061c1443020392bb408d05e9e8203e.exe 75061c1443020392bb408d05e9e8203e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exe"C:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exeC:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exeC:\Users\Admin\AppData\Local\Temp\75061c1443020392bb408d05e9e8203e.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵PID:2100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\FCEB.BDBFilesize
1KB
MD56225a05bae10f47f16def17dacf8df06
SHA14539bef6f82307ef3570c06ff80b40e21f736b47
SHA2566c0035b11b32345b69bd4f08ff65fdf9b6a32333efaa94421b1c3807864c7fe8
SHA5128a2c6e5cdf539a001f72c8776373efe7172dc0f31ff716b96deac64a1f6a22837a9ab1ddb930887103f33a2e2a85575f54daf6a133959ca689da6e13cf684861
-
C:\Users\Admin\AppData\Roaming\FCEB.BDBFilesize
600B
MD5f46ea7a7699fe038a2412622fe2946ac
SHA15d03c9aa5a1e9ec9e4589bc314077a14d07d1843
SHA256a24747dd6d83bb9a3a690078c14c73f073838124fe1333c120d009be6f95884c
SHA512cf9a97bd61465f7ea77e250ec9bf51a3d554d07dabdb3c79d4127984591aade7a5093ba293d18c51cf15f02e68607f61b813797a5bb4be4692179595119591a2
-
C:\Users\Admin\AppData\Roaming\FCEB.BDBFilesize
996B
MD5e5aae34ffbd3522df68d949c0865869f
SHA1b88e842e56027ea2a25c22a5ae96edd410c375f2
SHA2568f1c374765872013621b452e9344200cc25cec6084cee9656d51c5cf6b0343be
SHA51293082e643531b23762aeb7f70de1c96479a8d770a1672015fc4062a9e9b60e099f217ea9e0115cbe8c7a754425b5a99ba8bdba5f301a6c1034556ab88b6871fc
-
memory/1692-2-0x0000000000760000-0x0000000000860000-memory.dmpFilesize
1024KB
-
memory/1692-188-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1692-174-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1692-172-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1692-139-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1692-71-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1692-1-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1692-73-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1692-74-0x0000000000760000-0x0000000000860000-memory.dmpFilesize
1024KB
-
memory/2100-72-0x00000000004F4000-0x000000000050F000-memory.dmpFilesize
108KB
-
memory/2100-70-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2804-13-0x0000000000530000-0x0000000000630000-memory.dmpFilesize
1024KB
-
memory/2804-14-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2804-12-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB