Analysis
-
max time kernel
91s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
14-02-2024 01:14
Static task
static1
Behavioral task
behavioral1
Sample
9a666025866105b65cc196b4e0bf3ee7.exe
Resource
win7-20231215-en
General
-
Target
9a666025866105b65cc196b4e0bf3ee7.exe
-
Size
200KB
-
MD5
9a666025866105b65cc196b4e0bf3ee7
-
SHA1
a64cfaefd7e8b8ae312a80bf7c403ebd00be7334
-
SHA256
7aba204304f9cefbdd41c0bb1c207011b4889a7b4a3890ee673be2760f5b87e8
-
SHA512
efc2716bfd4916e300f7530d9e09eed80bf8278dc2e9ddf801f430fbd514c5b03f0f203d8513c690b859d599b0d25138316a95c581dac6888fc7e53b727f621d
-
SSDEEP
6144:1OY5Bj3VHC+mhRicqp2qyjlWYaLWt0buNRxga:1b553V5ZziMWtzL
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9a666025866105b65cc196b4e0bf3ee7.execmd.exedescription pid process target process PID 1232 wrote to memory of 1004 1232 9a666025866105b65cc196b4e0bf3ee7.exe cmd.exe PID 1232 wrote to memory of 1004 1232 9a666025866105b65cc196b4e0bf3ee7.exe cmd.exe PID 1232 wrote to memory of 1004 1232 9a666025866105b65cc196b4e0bf3ee7.exe cmd.exe PID 1004 wrote to memory of 3168 1004 cmd.exe attrib.exe PID 1004 wrote to memory of 3168 1004 cmd.exe attrib.exe PID 1004 wrote to memory of 3168 1004 cmd.exe attrib.exe PID 1004 wrote to memory of 4308 1004 cmd.exe attrib.exe PID 1004 wrote to memory of 4308 1004 cmd.exe attrib.exe PID 1004 wrote to memory of 4308 1004 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3168 attrib.exe 4308 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a666025866105b65cc196b4e0bf3ee7.exe"C:\Users\Admin\AppData\Local\Temp\9a666025866105b65cc196b4e0bf3ee7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Sun\Java\516CTM~1.BAT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\9a666025866105b65cc196b4e0bf3ee7.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Sun\Java\516C.tmp.bat"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Sun\Java\516C.tmp.batFilesize
422B
MD5cc186d26de6fda4cdbe9e66644d80f2b
SHA1961af7b27960970b5c341addc1716b3ba5abf04d
SHA25669afd5aab439346d00b66a560f5531a5a0a1dc611cde9afcbb59320a33c0ad89
SHA5124884b4933c3de57b8afb7a01984cd73a73a8c76217524d20e104721f64797200fb1759ddaf35e8663f165229dcee6346a4db5cfa822e515968659c4b581a28c6
-
memory/1232-1-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/1232-2-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB