Analysis
-
max time kernel
107s -
max time network
125s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-05-2024 11:07
Static task
static1
Behavioral task
behavioral1
Sample
9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe
Resource
win10v2004-20240508-en
General
-
Target
9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe
-
Size
574KB
-
MD5
3de3b5b66df61de3be752238d11317e3
-
SHA1
57d0958ba4da33f65773eb0b45e231f7423fe079
-
SHA256
9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab
-
SHA512
92572d0daf365cba95cc83718d054b6149fd6fa3a1991b545c02423c668c93f9f30ebd86fc0972a29feb5b08576a1d40214fb98926cdc7531499e4e4f0ef91c0
-
SSDEEP
12288:yr2Ot3stLajVxxEFscjUJoRno+1dXIip6mUrZfmFzOQ84e:s3IIVxxQsFodhdXxacIhP
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3344 set thread context of 4348 3344 9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe 81 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4348 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4348 RegAsm.exe Token: SeBackupPrivilege 4348 RegAsm.exe Token: SeSecurityPrivilege 4348 RegAsm.exe Token: SeSecurityPrivilege 4348 RegAsm.exe Token: SeSecurityPrivilege 4348 RegAsm.exe Token: SeSecurityPrivilege 4348 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3344 wrote to memory of 4348 3344 9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe 81 PID 3344 wrote to memory of 4348 3344 9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe 81 PID 3344 wrote to memory of 4348 3344 9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe 81 PID 3344 wrote to memory of 4348 3344 9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe 81 PID 3344 wrote to memory of 4348 3344 9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe 81 PID 3344 wrote to memory of 4348 3344 9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe 81 PID 3344 wrote to memory of 4348 3344 9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe 81 PID 3344 wrote to memory of 4348 3344 9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe"C:\Users\Admin\AppData\Local\Temp\9b9438e01b7841dad1cda34aae49f7bc60e09f88ab4e6f639b838e72becf20ab.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348
-