Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
a7e7c55d763359f4b590ea4eec10b800.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a7e7c55d763359f4b590ea4eec10b800.exe
Resource
win10v2004-20240226-en
General
-
Target
a7e7c55d763359f4b590ea4eec10b800.exe
-
Size
430KB
-
MD5
a7e7c55d763359f4b590ea4eec10b800
-
SHA1
c9c9c25f0f90048face442c607428cfbfdc3798b
-
SHA256
7ea4937a54c4f1373be662d2a8c3bb4aa34faf25dff90318921bdc5a5853524c
-
SHA512
71fedc8d1d8961c9e253876f66f434694fe7df200d391af577602a83046bc4698bb174cb93ecc78ef9bb4b75fa19cf15d35d21f4b349c29fd22008c4089bd08a
-
SSDEEP
6144:e/U771TbuciCpDrVoOdwruNfqpKkP2sv/3gh6CMqEfRYM43Tj6QdSkUvd:jIhCpDrVjD9qKU2NhynGj6QdSHvd
Malware Config
Signatures
-
Panda Stealer payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/736-6-0x0000000000400000-0x000000000047A000-memory.dmp family_pandastealer behavioral2/memory/736-8-0x0000000000400000-0x000000000047A000-memory.dmp family_pandastealer behavioral2/memory/736-9-0x0000000000400000-0x000000000047A000-memory.dmp family_pandastealer behavioral2/memory/736-11-0x0000000000400000-0x000000000047A000-memory.dmp family_pandastealer behavioral2/memory/736-35-0x0000000000400000-0x000000000047A000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
-
Shurk Stealer payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/736-6-0x0000000000400000-0x000000000047A000-memory.dmp shurk_stealer behavioral2/memory/736-8-0x0000000000400000-0x000000000047A000-memory.dmp shurk_stealer behavioral2/memory/736-9-0x0000000000400000-0x000000000047A000-memory.dmp shurk_stealer behavioral2/memory/736-11-0x0000000000400000-0x000000000047A000-memory.dmp shurk_stealer behavioral2/memory/736-35-0x0000000000400000-0x000000000047A000-memory.dmp shurk_stealer -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a7e7c55d763359f4b590ea4eec10b800.exedescription pid process target process PID 4168 set thread context of 736 4168 a7e7c55d763359f4b590ea4eec10b800.exe a7e7c55d763359f4b590ea4eec10b800.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a7e7c55d763359f4b590ea4eec10b800.exepid process 736 a7e7c55d763359f4b590ea4eec10b800.exe 736 a7e7c55d763359f4b590ea4eec10b800.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a7e7c55d763359f4b590ea4eec10b800.exedescription pid process Token: SeDebugPrivilege 4168 a7e7c55d763359f4b590ea4eec10b800.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
a7e7c55d763359f4b590ea4eec10b800.exedescription pid process target process PID 4168 wrote to memory of 736 4168 a7e7c55d763359f4b590ea4eec10b800.exe a7e7c55d763359f4b590ea4eec10b800.exe PID 4168 wrote to memory of 736 4168 a7e7c55d763359f4b590ea4eec10b800.exe a7e7c55d763359f4b590ea4eec10b800.exe PID 4168 wrote to memory of 736 4168 a7e7c55d763359f4b590ea4eec10b800.exe a7e7c55d763359f4b590ea4eec10b800.exe PID 4168 wrote to memory of 736 4168 a7e7c55d763359f4b590ea4eec10b800.exe a7e7c55d763359f4b590ea4eec10b800.exe PID 4168 wrote to memory of 736 4168 a7e7c55d763359f4b590ea4eec10b800.exe a7e7c55d763359f4b590ea4eec10b800.exe PID 4168 wrote to memory of 736 4168 a7e7c55d763359f4b590ea4eec10b800.exe a7e7c55d763359f4b590ea4eec10b800.exe PID 4168 wrote to memory of 736 4168 a7e7c55d763359f4b590ea4eec10b800.exe a7e7c55d763359f4b590ea4eec10b800.exe PID 4168 wrote to memory of 736 4168 a7e7c55d763359f4b590ea4eec10b800.exe a7e7c55d763359f4b590ea4eec10b800.exe PID 4168 wrote to memory of 736 4168 a7e7c55d763359f4b590ea4eec10b800.exe a7e7c55d763359f4b590ea4eec10b800.exe PID 4168 wrote to memory of 736 4168 a7e7c55d763359f4b590ea4eec10b800.exe a7e7c55d763359f4b590ea4eec10b800.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7e7c55d763359f4b590ea4eec10b800.exe"C:\Users\Admin\AppData\Local\Temp\a7e7c55d763359f4b590ea4eec10b800.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\a7e7c55d763359f4b590ea4eec10b800.exeC:\Users\Admin\AppData\Local\Temp\a7e7c55d763359f4b590ea4eec10b800.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/736-6-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/736-8-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/736-9-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/736-11-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/736-35-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/4168-0-0x0000000000E80000-0x0000000000EEE000-memory.dmpFilesize
440KB
-
memory/4168-1-0x00000000753B0000-0x0000000075B60000-memory.dmpFilesize
7.7MB
-
memory/4168-2-0x00000000059B0000-0x00000000059C0000-memory.dmpFilesize
64KB
-
memory/4168-3-0x0000000005860000-0x0000000005874000-memory.dmpFilesize
80KB
-
memory/4168-4-0x00000000058F0000-0x0000000005966000-memory.dmpFilesize
472KB
-
memory/4168-5-0x00000000058D0000-0x00000000058EE000-memory.dmpFilesize
120KB
-
memory/4168-10-0x00000000753B0000-0x0000000075B60000-memory.dmpFilesize
7.7MB