Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-07-2024 04:03
Static task
static1
Behavioral task
behavioral1
Sample
a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral2
Sample
a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe
Resource
win11-20240704-en
General
-
Target
a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe
-
Size
8.3MB
-
MD5
9cc0e7d568d15f8f23b06c68ad71be62
-
SHA1
d7b6c018c99448014fe6199244956eafb69405d3
-
SHA256
a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1
-
SHA512
2483ecb55bd3f126e6229d6dd19a6325430fed845a92294851b3915523a2df4f58fc253a9bedb22841c7c21c3ae54721d940b9cd0b652217a7482205d48dea45
-
SSDEEP
49152:m5N3NXi7s9xkBT9zBalvjBcnSUfTfXVguobKavEeWL7jC5EEfXckQcnt1Ng8Gs8a:ZsrQ9QefrXVgNGkNEEfX2Hc
Malware Config
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exedescription pid process target process PID 4216 set thread context of 2052 4216 a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BitLockerToGo.exepid process 2052 BitLockerToGo.exe 2052 BitLockerToGo.exe 2052 BitLockerToGo.exe 2052 BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exedescription pid process target process PID 4216 wrote to memory of 2052 4216 a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe BitLockerToGo.exe PID 4216 wrote to memory of 2052 4216 a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe BitLockerToGo.exe PID 4216 wrote to memory of 2052 4216 a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe BitLockerToGo.exe PID 4216 wrote to memory of 2052 4216 a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe BitLockerToGo.exe PID 4216 wrote to memory of 2052 4216 a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe"C:\Users\Admin\AppData\Local\Temp\a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052