29e77b7f9e0bf2560fc15d5f4bcd23bbdc3999637b1f720cca4d4f02e88b117e

Analysis

max time kernel
92s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 15:41

Target

8cb5826c9f4f25ab076b1458bd300f1d.exe
Size

1.6MB
MD5

8cb5826c9f4f25ab076b1458bd300f1d
SHA1

88e463d19c8cabd865e596986968757e773938ee
SHA256

29e77b7f9e0bf2560fc15d5f4bcd23bbdc3999637b1f720cca4d4f02e88b117e
SHA512

8bbdfdd3a1c388f1870bf9b90bcd201a91e3bf886ea988de0d2c447e86a690a2c5a4406665b247917e15c9832d482fd1f170e505034da4ea43925fa86cee25e7
SSDEEP

49152:JQagM/VkLHwbwexxcTcoOfhc8AxOVnbw+ij/TtCfjnbIc:GEVkLAxPo0c8hB9ijMjb9

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 8 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 64	3532	8cb5826c9f4f25ab076b1458bd300f1d.exe	86
PID 3532 wrote to memory of 64	3532	8cb5826c9f4f25ab076b1458bd300f1d.exe	86
PID 3532 wrote to memory of 64	3532	8cb5826c9f4f25ab076b1458bd300f1d.exe	86

C:\Users\Admin\AppData\Local\Temp\8cb5826c9f4f25ab076b1458bd300f1d.exe
"C:\Users\Admin\AppData\Local\Temp\8cb5826c9f4f25ab076b1458bd300f1d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\8cb5826c9f4f25ab076b1458bd300f1d.exe
  "C:\Users\Admin\AppData\Local\Temp\8cb5826c9f4f25ab076b1458bd300f1d.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_f2a51bd0"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:64

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\pkg_f2a51bd0\autorun.txt

Filesize
141B

MD5
690b8f7377a7cf17f298521cf98e8bc3

SHA1
6743ec81f5d421deb024ead4f690e0746ff850fd

SHA256
8589cc3b40172feac2691bf7406802c906386a8c6baba4bdcd9fd5e6e930e8ce

SHA512
83be2f79df50f2cd055d313dedbb267b7f28334fd7ef5eec5d605b3fb140645318ffeea886c48954d917707d085d248fdff19e8f8a4b80447d95d797d4842553

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_f2a51bd0\wrapper.xml

Filesize
692B

MD5
44601e00ff712607d2a0b64de786d843

SHA1
5696d1604b564a38669035faf395f78c933d8717

SHA256
424ef303f88bcd0c6af1858cdacc0e3225545957fcb6c49110e39ff39b26b7f9

SHA512
7328a2db19fc89d43a4c6dac7338ebf71dfe418bf3bd5bf04966afa1cd76cc7c73daeea07496c7df425ad369f6b17ffcbdf3b2d5de7e7d70424621d9375b73d1

Download Submit