Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
12-03-2024 17:32
Static task
static1
Behavioral task
behavioral1
Sample
c3f2e8fd30333a61c12e21c3184aa491.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c3f2e8fd30333a61c12e21c3184aa491.exe
Resource
win10v2004-20240226-en
General
-
Target
c3f2e8fd30333a61c12e21c3184aa491.exe
-
Size
181KB
-
MD5
c3f2e8fd30333a61c12e21c3184aa491
-
SHA1
8ce372191f5e57689c8aa884189b0c540faf0612
-
SHA256
4917b8502387f28358f9db081bc736c7be1bf0aeae854ab590228a4b63ce7b58
-
SHA512
91ed8cd43ec7e1862c6565adc6ab6fb21188dbdeccaa9b5f15fcdd0af17b684253932ad27757e16857056f8d61174590553640d9012bc9a6d7be2df6debc5342
-
SSDEEP
3072:IcZ373SC4nf9Wo7nSAweoUuhPLkKPCYjWN3qNdI4pbqwrwHtyhK8O5:IK37321WCvweoUKLjKYiNAdRpWwm8hK8
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2220-1-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2520-14-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2520-12-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2556-80-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2220-81-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2220-83-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2220-154-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2220-183-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2220-184-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2220-194-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2520 2220 c3f2e8fd30333a61c12e21c3184aa491.exe 28 PID 2220 wrote to memory of 2520 2220 c3f2e8fd30333a61c12e21c3184aa491.exe 28 PID 2220 wrote to memory of 2520 2220 c3f2e8fd30333a61c12e21c3184aa491.exe 28 PID 2220 wrote to memory of 2520 2220 c3f2e8fd30333a61c12e21c3184aa491.exe 28 PID 2220 wrote to memory of 2556 2220 c3f2e8fd30333a61c12e21c3184aa491.exe 30 PID 2220 wrote to memory of 2556 2220 c3f2e8fd30333a61c12e21c3184aa491.exe 30 PID 2220 wrote to memory of 2556 2220 c3f2e8fd30333a61c12e21c3184aa491.exe 30 PID 2220 wrote to memory of 2556 2220 c3f2e8fd30333a61c12e21c3184aa491.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3f2e8fd30333a61c12e21c3184aa491.exe"C:\Users\Admin\AppData\Local\Temp\c3f2e8fd30333a61c12e21c3184aa491.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\c3f2e8fd30333a61c12e21c3184aa491.exeC:\Users\Admin\AppData\Local\Temp\c3f2e8fd30333a61c12e21c3184aa491.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\c3f2e8fd30333a61c12e21c3184aa491.exeC:\Users\Admin\AppData\Local\Temp\c3f2e8fd30333a61c12e21c3184aa491.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵PID:2556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53237bb7ea8619f9b8efda3c43138c714
SHA1d8e69c9244bda8063e482bea42072238c42645f4
SHA2568080281a8a284822b2b1dddebe1352ed2951b08c6cc851573150364ea6a811d2
SHA512ffde93e8d3458590005c6d0fed7c14779a77472fd5bc8fcd241ad73fc348f7ef2f014b8c7bf350d8b394aa64a1665579250e5f6a8e813d87e72c683b739619f0
-
Filesize
600B
MD53fb19eef40359fd7443d7a69b9d38037
SHA188dd40d4accd12131e5d22e02b4521718366912e
SHA2567dfbb7c3605bc51172c2bfd959ee35e83f2b5fa402e205978b007d06a5749c81
SHA512807c75074061a6995332a6aa8b0c09100bfdf9685d38c6f9a1c1e33847e3e5c2955c431303c4c45e4c728c50258504ae14c94f1ba5fb78a4dd932ab455c659c1
-
Filesize
996B
MD59fc30e26301377b298c91f38bda7b85b
SHA17a7e6ed6a3c86c3fc0bcda68d718171176f83108
SHA256ff9d4f0bf65d9b995ae2e6c8710f2e21c9f962423b822736b6c5159d039ce7fb
SHA5129dcac5301e2682b43379265efc0292c57cde5617a7f978518d5ce3b3fd08037bcaa2347fba61e633efb73573f613324d7b05052f10ae416ab324c6bc18ae53b5