597ca08dea2c7aa2551cd932c2d79cc6f12fb24f4ac9ecaf1ba45a0c3576c3e2

Analysis

max time kernel
91s
max time network
137s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01/06/2024, 13:46

Target

Authenticator.exe
Size

3.5MB
MD5

7c0c6044c5a9a14feb436705b0eb29d2
SHA1

029d9abe075599e013aa1e76d33b78470aab9c5b
SHA256

597ca08dea2c7aa2551cd932c2d79cc6f12fb24f4ac9ecaf1ba45a0c3576c3e2
SHA512

64bdeec8be75a99687c1ccf3284e6453f48978b9fcebcf6ef8a31e7e36ba7fd38f2e0a31ae79693cae1fa44930a1752341dd173989f4fe42caaef541767ce074
SSDEEP

49152:yNAryfH4y9JnO/BXCRr2mLxZHQy1RhCvBl6j/IvOnb08InAT23HAGdmb:322/vjAbYb3gGd

Score

7^/10

spyware stealer

Executes dropped EXE 1 IoCs

pid	Process
1832	ConvertDatabase_[2MB]_[unsign].exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1832	ConvertDatabase_[2MB]_[unsign].exe
1832	ConvertDatabase_[2MB]_[unsign].exe
1832	ConvertDatabase_[2MB]_[unsign].exe
1832	ConvertDatabase_[2MB]_[unsign].exe
1832	ConvertDatabase_[2MB]_[unsign].exe
1832	ConvertDatabase_[2MB]_[unsign].exe
1832	ConvertDatabase_[2MB]_[unsign].exe
1832	ConvertDatabase_[2MB]_[unsign].exe
1832	ConvertDatabase_[2MB]_[unsign].exe
1832	ConvertDatabase_[2MB]_[unsign].exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1832	2656	Authenticator.exe	82
PID 2656 wrote to memory of 1832	2656	Authenticator.exe	82
PID 2656 wrote to memory of 1832	2656	Authenticator.exe	82

C:\Users\Admin\AppData\Local\Temp\Authenticator.exe
"C:\Users\Admin\AppData\Local\Temp\Authenticator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Temp\Kits64\1\ConvertDatabase_[2MB]_[unsign].exe
  "C:\Temp\Kits64\1/ConvertDatabase_[2MB]_[unsign].exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1832

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Temp\Kits64\1\ConvertDatabase_[2MB]_[unsign].exe

Filesize
2.8MB

MD5
4404d147bc680a067abd60f798b60647

SHA1
8c484e8d27795725d58f31cd16e2c955c0d91b0a

SHA256
ae5dbcaa5ce696f3bef64c58e1461ec91da0cf8ab35569a0f057289f3ecbddcd

SHA512
cd58a787587591808d6f71a6c57778191a5aa8a9b9fdaaf5aacb14a04f4530b98b80621f475a249999c431898e069451ecaa29c375fcc879f8b1017e9a388100

Download Submit
memory/1832-3-0x0000000002400000-0x0000000002463000-memory.dmp

Filesize
396KB

Download
memory/1832-20-0x0000000002400000-0x0000000002463000-memory.dmp

Filesize
396KB

Download
memory/1832-22-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download