Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-01-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
85064c496c641eca567a1f3f03230426.exe
Resource
win7-20231215-en
General
-
Target
85064c496c641eca567a1f3f03230426.exe
-
Size
224KB
-
MD5
85064c496c641eca567a1f3f03230426
-
SHA1
50776082f7f07a8ac5d053688d195c51b6fc2f28
-
SHA256
a6276c89bdbf3c0b090d759b5dfbb9cd1f8d99da89379f618f8f49324a688d44
-
SHA512
9efc11d2498f91157cc320b9cafbd5507f53a18c2fc8b678236cf8e23ade86c66f9e67888221fe456759b38eea7a2a4e3ce49cc845479755e039e5b4557f5068
-
SSDEEP
3072:Bb8HR3liqe7oF2Ggr1bHm406OwlbSc+t1ro0ZkYHGqDcwpEID6wGUWcktOZx5WrI:Bge7AibmiQcjWG5MGUWttUx54I
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2860 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
85064c496c641eca567a1f3f03230426.execmd.exedescription pid process target process PID 2052 wrote to memory of 2860 2052 85064c496c641eca567a1f3f03230426.exe cmd.exe PID 2052 wrote to memory of 2860 2052 85064c496c641eca567a1f3f03230426.exe cmd.exe PID 2052 wrote to memory of 2860 2052 85064c496c641eca567a1f3f03230426.exe cmd.exe PID 2052 wrote to memory of 2860 2052 85064c496c641eca567a1f3f03230426.exe cmd.exe PID 2860 wrote to memory of 2140 2860 cmd.exe attrib.exe PID 2860 wrote to memory of 2140 2860 cmd.exe attrib.exe PID 2860 wrote to memory of 2140 2860 cmd.exe attrib.exe PID 2860 wrote to memory of 2140 2860 cmd.exe attrib.exe PID 2860 wrote to memory of 1068 2860 cmd.exe attrib.exe PID 2860 wrote to memory of 1068 2860 cmd.exe attrib.exe PID 2860 wrote to memory of 1068 2860 cmd.exe attrib.exe PID 2860 wrote to memory of 1068 2860 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2140 attrib.exe 1068 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85064c496c641eca567a1f3f03230426.exe"C:\Users\Admin\AppData\Local\Temp\85064c496c641eca567a1f3f03230426.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\UserData\5CC0TM~1.BAT2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\85064c496c641eca567a1f3f03230426.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\5CC0.tmp.bat"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\UserData\5CC0.tmp.batFilesize
478B
MD5ede2d59aee5caffcf806d7d127c8091d
SHA19659fd198aefb5583713fc4430d093292c07deda
SHA2568465d4c27f4e5d7c686a98d94af932c55988f86704d9c46fc95916f5f2112a75
SHA512b49d677f3e0ce25ffeae2c0b1e825f0fefa6cba49f64895a1eeff78c1a4d6d464544a2b231b16a5b5f9c5db0bebefe47ab953caa0ff20bd3617f3bc1e0f2fa19
-
memory/2052-1-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2052-0-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2052-3-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB