Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
85064c496c641eca567a1f3f03230426.exe
Resource
win7-20231215-en
General
-
Target
85064c496c641eca567a1f3f03230426.exe
-
Size
224KB
-
MD5
85064c496c641eca567a1f3f03230426
-
SHA1
50776082f7f07a8ac5d053688d195c51b6fc2f28
-
SHA256
a6276c89bdbf3c0b090d759b5dfbb9cd1f8d99da89379f618f8f49324a688d44
-
SHA512
9efc11d2498f91157cc320b9cafbd5507f53a18c2fc8b678236cf8e23ade86c66f9e67888221fe456759b38eea7a2a4e3ce49cc845479755e039e5b4557f5068
-
SSDEEP
3072:Bb8HR3liqe7oF2Ggr1bHm406OwlbSc+t1ro0ZkYHGqDcwpEID6wGUWcktOZx5WrI:Bge7AibmiQcjWG5MGUWttUx54I
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
85064c496c641eca567a1f3f03230426.execmd.exedescription pid process target process PID 3604 wrote to memory of 628 3604 85064c496c641eca567a1f3f03230426.exe cmd.exe PID 3604 wrote to memory of 628 3604 85064c496c641eca567a1f3f03230426.exe cmd.exe PID 3604 wrote to memory of 628 3604 85064c496c641eca567a1f3f03230426.exe cmd.exe PID 628 wrote to memory of 3676 628 cmd.exe attrib.exe PID 628 wrote to memory of 3676 628 cmd.exe attrib.exe PID 628 wrote to memory of 3676 628 cmd.exe attrib.exe PID 628 wrote to memory of 1360 628 cmd.exe attrib.exe PID 628 wrote to memory of 1360 628 cmd.exe attrib.exe PID 628 wrote to memory of 1360 628 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3676 attrib.exe 1360 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85064c496c641eca567a1f3f03230426.exe"C:\Users\Admin\AppData\Local\Temp\85064c496c641eca567a1f3f03230426.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Mozilla\468ETM~1.BAT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\85064c496c641eca567a1f3f03230426.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Mozilla\468E.tmp.bat"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\468E.tmp.batFilesize
420B
MD5cf66686088827579f82cf6a242327a14
SHA1ac897b5c8a5ae95fc413f3ed206171abc0989948
SHA256d1ff6d556ca3215d7a0583575c5e5ba79edb28c971fa6be7f35a426895d0646d
SHA512b073495829cc1133c4b2730df3def14d5de3c3fe4af73f580f82dfb9e6a1990a67f531a35ac4d80a6e9798723e418de9afac0869fda393fa5c70b5c430c7d666
-
memory/3604-3-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3604-1-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB