Analysis
-
max time kernel
131s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 10:56
Static task
static1
Behavioral task
behavioral1
Sample
506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe
Resource
win7-20240221-en
General
-
Target
506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe
-
Size
878KB
-
MD5
e3ed0d3b6f801d8ffe8dc18b262c14c5
-
SHA1
a3c499d65a090b2df7fb519a9a366f4cb3d39f79
-
SHA256
506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f
-
SHA512
cc40b7f5e5acaecc3567635a4df4068f3f2d35253ff4db20dcdfcf8be98c3167643709173035980dd4030f338517c3b2f2cf12daadb5c45daf5b8094d6d48f34
-
SSDEEP
24576:dAHnh+eWsN3skA4RV1Hom2KXMmHau635:8h+ZkldoPK8Yaum
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exedescription ioc process File opened (read-only) \??\k: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\l: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\m: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\n: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\p: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\r: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\t: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\w: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\x: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\z: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\e: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\j: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\o: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\s: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\y: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\a: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\b: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\q: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\u: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\v: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\g: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\h: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe File opened (read-only) \??\i: 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exedescription pid process target process PID 4848 wrote to memory of 3104 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 3104 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 3104 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 5100 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 5100 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 5100 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1972 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1972 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1972 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1560 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1560 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1560 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1932 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1932 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1932 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4712 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4712 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4712 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 2280 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 2280 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 2280 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 432 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 432 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 432 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 5048 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 5048 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 5048 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4528 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4528 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4528 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 2288 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 2288 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 2288 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 3744 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 3744 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 3744 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 3964 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 3964 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 3964 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1572 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1572 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1572 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 5020 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 5020 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 5020 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4504 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4504 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4504 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 2452 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 2452 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 2452 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4392 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4392 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4392 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1284 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1284 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1284 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1528 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1528 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 1528 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4756 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4756 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 4756 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe PID 4848 wrote to memory of 3824 4848 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe"C:\Users\Admin\AppData\Local\Temp\506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f.exe"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A2⤵PID:3104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A2⤵PID:5100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A2⤵PID:1972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.docx" /S /B /A2⤵PID:1560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.docm" /S /B /A2⤵PID:1932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A2⤵PID:4712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A2⤵PID:2280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A2⤵PID:432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xls" /S /B /A2⤵PID:5048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xlsx" /S /B /A2⤵PID:4528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xlsm" /S /B /A2⤵PID:2288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A2⤵PID:3744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A2⤵PID:3964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A2⤵PID:1572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A2⤵PID:5020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A2⤵PID:4504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pptx" /S /B /A2⤵PID:2452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A2⤵PID:4392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A2⤵PID:1284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A2⤵PID:1528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A2⤵PID:4756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A2⤵PID:3824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A2⤵PID:4492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A2⤵PID:4144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A2⤵PID:2732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A2⤵PID:4364