a87651cf3ffd7550018294c1b6a5c987f7f8bf29e205b82b31a76f518050b3fd

Analysis

max time kernel
136s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PasswordScan.exe
Size

579KB
MD5

9c1ffaf6015e5ed56a981cea5f0937a9
SHA1

34e8b64c9cb5dacdca2e98cc4050fa7f3469b19a
SHA256

32e9052bfcf8ebbe86164ef29e58b293b505c9101d1ee9c3bc04a508a3a9a7fc
SHA512

4ce58f5bceb3b5efba44c0f53ea084a5538634a589c6b80aef7d86afe8629c0136d4478ec58e366ac5d192d344b1d3961bd0f8cafba391ce7c7d6d515d784065
SSDEEP

12288:b2l6mBtnALzuOfPv3tzRSRnblGhCVRxFWxksg:qtnAmOfH3tVSRnJKCh49g

Score

9^/10

credential_access spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
428	PasswordScan.exe
428	PasswordScan.exe
428	PasswordScan.exe
428	PasswordScan.exe
428	PasswordScan.exe
428	PasswordScan.exe
428	PasswordScan.exe
428	PasswordScan.exe
428	PasswordScan.exe
428	PasswordScan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	PasswordScan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 668	428	PasswordScan.exe	7
PID 428 wrote to memory of 668	428	PasswordScan.exe	7
PID 428 wrote to memory of 668	428	PasswordScan.exe	7
PID 428 wrote to memory of 668	428	PasswordScan.exe	7
PID 428 wrote to memory of 668	428	PasswordScan.exe	7
PID 428 wrote to memory of 668	428	PasswordScan.exe	7
PID 428 wrote to memory of 668	428	PasswordScan.exe	7
PID 428 wrote to memory of 668	428	PasswordScan.exe	7
PID 428 wrote to memory of 668	428	PasswordScan.exe	7
PID 668 wrote to memory of 2576	668	lsass.exe	45
PID 668 wrote to memory of 2576	668	lsass.exe	45
PID 668 wrote to memory of 2576	668	lsass.exe	45
PID 668 wrote to memory of 2644	668	lsass.exe	90
PID 668 wrote to memory of 2644	668	lsass.exe	90
PID 668 wrote to memory of 2644	668	lsass.exe	90
PID 668 wrote to memory of 2644	668	lsass.exe	90
PID 668 wrote to memory of 2644	668	lsass.exe	90
PID 668 wrote to memory of 2644	668	lsass.exe	90
PID 668 wrote to memory of 2644	668	lsass.exe	90
PID 668 wrote to memory of 2644	668	lsass.exe	90
PID 668 wrote to memory of 2644	668	lsass.exe	90
PID 668 wrote to memory of 2644	668	lsass.exe	90
PID 668 wrote to memory of 2644	668	lsass.exe	90
PID 668 wrote to memory of 2576	668	lsass.exe	45
PID 668 wrote to memory of 2576	668	lsass.exe	45
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 3320	668	lsass.exe	93
PID 668 wrote to memory of 2148	668	lsass.exe	39
PID 668 wrote to memory of 2576	668	lsass.exe	45
PID 668 wrote to memory of 2576	668	lsass.exe	45
PID 668 wrote to memory of 2576	668	lsass.exe	45
PID 668 wrote to memory of 824	668	lsass.exe	96
PID 668 wrote to memory of 824	668	lsass.exe	96
PID 668 wrote to memory of 824	668	lsass.exe	96
PID 668 wrote to memory of 824	668	lsass.exe	96
PID 668 wrote to memory of 824	668	lsass.exe	96
PID 668 wrote to memory of 824	668	lsass.exe	96
PID 668 wrote to memory of 824	668	lsass.exe	96
PID 668 wrote to memory of 824	668	lsass.exe	96
PID 668 wrote to memory of 824	668	lsass.exe	96
PID 668 wrote to memory of 824	668	lsass.exe	96
PID 668 wrote to memory of 824	668	lsass.exe	96
PID 668 wrote to memory of 2576	668	lsass.exe	45
PID 668 wrote to memory of 2576	668	lsass.exe	45
PID 668 wrote to memory of 2576	668	lsass.exe	45
PID 668 wrote to memory of 2556	668	lsass.exe	44
PID 668 wrote to memory of 2556	668	lsass.exe	44
PID 668 wrote to memory of 2556	668	lsass.exe	44
PID 668 wrote to memory of 2556	668	lsass.exe	44
PID 668 wrote to memory of 2556	668	lsass.exe	44
PID 668 wrote to memory of 2556	668	lsass.exe	44
PID 668 wrote to memory of 2556	668	lsass.exe	44
PID 668 wrote to memory of 2556	668	lsass.exe	44
PID 668 wrote to memory of 2556	668	lsass.exe	44

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2556

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\PasswordScan.exe
"C:\Users\Admin\AppData\Local\Temp\PasswordScan.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e6755c7f92647cc238e66a16a2446bce yQPxoEKSMU2S1GBBlo5sag.0.1.0.0.0
1⤵
PID:2644

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3320

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:824

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2288

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2384

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-11-0x000001D3055E0000-0x000001D3055E1000-memory.dmp

Filesize
4KB

Download
memory/668-10-0x000001D3055E0000-0x000001D3055E1000-memory.dmp

Filesize
4KB

Download
memory/668-3-0x000001D3055E0000-0x000001D3055E1000-memory.dmp

Filesize
4KB

Download
memory/668-9-0x000001D3055E0000-0x000001D3055E1000-memory.dmp

Filesize
4KB

Download
memory/668-13-0x000001D3055E0000-0x000001D3055E1000-memory.dmp

Filesize
4KB

Download
memory/668-12-0x000001D3055E0000-0x000001D3055E1000-memory.dmp

Filesize
4KB

Download