Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14-07-2024 12:07
Behavioral task
behavioral1
Sample
de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe
Resource
win7-20240704-en
General
-
Target
de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe
-
Size
17.1MB
-
MD5
505c82de0d88ad7024d2982e44d1d118
-
SHA1
798cec05d8875d7afec0e78a1f2eefc30ea961de
-
SHA256
de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1
-
SHA512
536245a22ade94ed378b99ff5ea9fca234c1848f583b1c6db4b6916666d9b59ae538d2c3797b9f1972ff3e6fa4e15f4c3dc16e6934bebc984d89197331f7811e
-
SSDEEP
98304:/VAj4+4BjIW9rqZdAgNnrYtt+TIGAAU+XeXM+J+JBiGSEX9cUh9iOiTUVtZBgx:/VAjxS6YtuIGlZOcprk
Malware Config
Signatures
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
pid Process 2956 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2956 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2956 2572 de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe 32 PID 2572 wrote to memory of 2956 2572 de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe 32 PID 2572 wrote to memory of 2956 2572 de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe"C:\Users\Admin\AppData\Local\Temp\de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b