Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 09:36

General

  • Target

    12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe

  • Size

    17KB

  • MD5

    a7154b65cdfde85390a60b287ccc5d0e

  • SHA1

    6663e3aabeaa93fa2af8748c4ccdf4b0c248f075

  • SHA256

    12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2

  • SHA512

    d2bbde8f754cd4b535e33019ceff80d31c9c9776e1331c5fc91c889bdcb596e11df7ac3759c91a91ee7b88eb99d884451a2868c6170d4ede8470d534e4f41cc3

  • SSDEEP

    384:x+uPfoQ+DfYMzKdPEsOuubuEG3KHM2/cION:IMAQ+BzWPEwnE+KHM2/YN

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe
    "C:\Users\Admin\AppData\Local\Temp\12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\svhost.exe
      "C:\Windows\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\blndNw9FyRk93yf.exe

    Filesize

    845B

    MD5

    b2c22c3a80071c4f2812cb6a539d1249

    SHA1

    fe23298a01fce8da76fed5d234aa7343ff1d7b83

    SHA256

    3c76c274baaf8780eda08f23e1c6a0e7fe17245c1f6bf5f7b8ed37c0a33b0990

    SHA512

    dcc4d38a96095604e7f5b0ddc9ab6a8bb219ffc5636bc83a416fab59fd4d6612624d3f8c653da4271b3486641446eb9ef9e8a782ab7dab8f871589692f77784a

  • C:\Users\Admin\AppData\Local\Temp\blndNw9FyRk93yf.exe

    Filesize

    17KB

    MD5

    996e1594d08809abfa3a5f9bb37a350b

    SHA1

    b89ce3b098efa47c5f5c6b73aebef14f3a7c6f2c

    SHA256

    ed61027bbd29bfd30e911c233a1b1b41f26d2e609d19ea33dfb3ad9cbd52cd48

    SHA512

    f9aa0479792b46927b71330a1185c9257ce4ca99ae627f38c3705f8f15caaea4705a19fdc4f8776a93f924a5a080e4ce2f07c8edfb4c319c43eb47b7e7659faf

  • C:\Windows\svhost.exe

    Filesize

    16KB

    MD5

    76fd02b48297edb28940bdfa3fa1c48a

    SHA1

    bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

    SHA256

    07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

    SHA512

    28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0