Analysis
-
max time kernel
147s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe
-
Size
731KB
-
MD5
a92bd5072f0e3e683be1b27117df76d7
-
SHA1
a80db2f724e6d10c4b704f8e221c0946f5a12ad8
-
SHA256
2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca
-
SHA512
0b48fdc20d3d3aae604a333f708bb5d4bbdd79be7e6059e703654aa31e8e362b240fa290c386a9e86ab0ffbc4d875a24c77fae8b1ef3466b347206c085782dd4
-
SSDEEP
12288:D9y9tmvboNKAM9qPg6f0blJwoodEJLaCyi5yHi1+xuQD6rCPUh/rYbhS:U9mENKAiGolJwooKJVy8+oQDkCPUhk1S
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exedescription ioc Process File opened (read-only) \??\l: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\n: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\u: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\a: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\b: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\e: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\g: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\k: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\o: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\v: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\w: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\y: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\j: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\m: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\q: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\s: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\t: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\x: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\h: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\i: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\p: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\r: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe File opened (read-only) \??\z: 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2548-4-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-7-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-8-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-9-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-11-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-15-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-23-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-27-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-31-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-43-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-47-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-59-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-63-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2548-81-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exedescription pid Process procid_target PID 2540 set thread context of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exedescription pid Process Token: SeDebugPrivilege 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exedescription pid Process procid_target PID 2540 wrote to memory of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 PID 2540 wrote to memory of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 PID 2540 wrote to memory of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 PID 2540 wrote to memory of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 PID 2540 wrote to memory of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 PID 2540 wrote to memory of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 PID 2540 wrote to memory of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 PID 2540 wrote to memory of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 PID 2540 wrote to memory of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 PID 2540 wrote to memory of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 PID 2540 wrote to memory of 2548 2540 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 29 PID 2548 wrote to memory of 2416 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 30 PID 2548 wrote to memory of 2416 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 30 PID 2548 wrote to memory of 2416 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 30 PID 2548 wrote to memory of 2416 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 30 PID 2548 wrote to memory of 2320 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 32 PID 2548 wrote to memory of 2320 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 32 PID 2548 wrote to memory of 2320 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 32 PID 2548 wrote to memory of 2320 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 32 PID 2548 wrote to memory of 2176 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 34 PID 2548 wrote to memory of 2176 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 34 PID 2548 wrote to memory of 2176 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 34 PID 2548 wrote to memory of 2176 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 34 PID 2548 wrote to memory of 772 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 36 PID 2548 wrote to memory of 772 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 36 PID 2548 wrote to memory of 772 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 36 PID 2548 wrote to memory of 772 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 36 PID 2548 wrote to memory of 568 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 38 PID 2548 wrote to memory of 568 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 38 PID 2548 wrote to memory of 568 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 38 PID 2548 wrote to memory of 568 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 38 PID 2548 wrote to memory of 2628 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 40 PID 2548 wrote to memory of 2628 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 40 PID 2548 wrote to memory of 2628 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 40 PID 2548 wrote to memory of 2628 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 40 PID 2548 wrote to memory of 2476 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 42 PID 2548 wrote to memory of 2476 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 42 PID 2548 wrote to memory of 2476 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 42 PID 2548 wrote to memory of 2476 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 42 PID 2548 wrote to memory of 2316 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 44 PID 2548 wrote to memory of 2316 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 44 PID 2548 wrote to memory of 2316 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 44 PID 2548 wrote to memory of 2316 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 44 PID 2548 wrote to memory of 932 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 46 PID 2548 wrote to memory of 932 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 46 PID 2548 wrote to memory of 932 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 46 PID 2548 wrote to memory of 932 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 46 PID 2548 wrote to memory of 2644 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 48 PID 2548 wrote to memory of 2644 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 48 PID 2548 wrote to memory of 2644 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 48 PID 2548 wrote to memory of 2644 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 48 PID 2548 wrote to memory of 2632 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 50 PID 2548 wrote to memory of 2632 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 50 PID 2548 wrote to memory of 2632 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 50 PID 2548 wrote to memory of 2632 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 50 PID 2548 wrote to memory of 1616 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 52 PID 2548 wrote to memory of 1616 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 52 PID 2548 wrote to memory of 1616 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 52 PID 2548 wrote to memory of 1616 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 52 PID 2548 wrote to memory of 1756 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 54 PID 2548 wrote to memory of 1756 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 54 PID 2548 wrote to memory of 1756 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 54 PID 2548 wrote to memory of 1756 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 54 PID 2548 wrote to memory of 2296 2548 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe"C:\Users\Admin\AppData\Local\Temp\2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exeC:\Users\Admin\AppData\Local\Temp\2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca.exe2⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A3⤵PID:2416
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A3⤵PID:2320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A3⤵PID:2176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A3⤵PID:772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A3⤵PID:568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A3⤵PID:2628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A3⤵PID:2476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A3⤵PID:2316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A3⤵PID:932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A3⤵PID:2644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A3⤵PID:2632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A3⤵PID:1616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A3⤵PID:1756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A3⤵PID:2296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A3⤵PID:2896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A3⤵PID:1104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A3⤵PID:1540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A3⤵PID:1344
-
-