28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5

General

Target

931fdd551975cf30ae02f85a90c5ee22.exe
Size

215KB
MD5

931fdd551975cf30ae02f85a90c5ee22
SHA1

d0330b0199af3e6c06534fee5cbf9d5e88966bc1
SHA256

28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5
SHA512

68b29d615d97e0be26d799390ba526b5959a805006f1294238073b980266e73b86b5f9a90948bd5170023b80b5d0141baa4784eb1a71b2036a7e36fdf8b71f32

Score

10^/10

discovery spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1000 created 2436 1000 WerFault.exe gDichIeB.exe
PID 3748 created 2576 3748 WerFault.exe gDichIeB.exe

description	pid	process	target process
PID 1000 created 2436	1000	WerFault.exe	gDichIeB.exe
PID 3748 created 2576	3748	WerFault.exe	gDichIeB.exe

ServiceHost packer 4 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2436-11-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2436-12-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2436-13-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2436-14-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 2 IoCs

Processes:

gDichIeB.exegDichIeB.exe

pid process

2436 gDichIeB.exe
2576 gDichIeB.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1000 2436 WerFault.exe gDichIeB.exe
3748 2576 WerFault.exe gDichIeB.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2264 schtasks.exe

pid	process
2436	gDichIeB.exe
2576	gDichIeB.exe

pid	pid_target	process	target process
1000	2436	WerFault.exe	gDichIeB.exe
3748	2576	WerFault.exe	gDichIeB.exe

pid	process
2264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	1000	WerFault.exe
Token: SeBackupPrivilege	1000	WerFault.exe
Token: SeDebugPrivilege	1000	WerFault.exe
Token: SeDebugPrivilege	3748	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

931fdd551975cf30ae02f85a90c5ee22.execmd.exe

description	pid	process	target process
PID 672 wrote to memory of 2436	672	931fdd551975cf30ae02f85a90c5ee22.exe	gDichIeB.exe
PID 672 wrote to memory of 2436	672	931fdd551975cf30ae02f85a90c5ee22.exe	gDichIeB.exe
PID 672 wrote to memory of 2436	672	931fdd551975cf30ae02f85a90c5ee22.exe	gDichIeB.exe
PID 672 wrote to memory of 3548	672	931fdd551975cf30ae02f85a90c5ee22.exe	cmd.exe
PID 672 wrote to memory of 3548	672	931fdd551975cf30ae02f85a90c5ee22.exe	cmd.exe
PID 672 wrote to memory of 3548	672	931fdd551975cf30ae02f85a90c5ee22.exe	cmd.exe
PID 3548 wrote to memory of 2264	3548	cmd.exe	schtasks.exe
PID 3548 wrote to memory of 2264	3548	cmd.exe	schtasks.exe
PID 3548 wrote to memory of 2264	3548	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\931fdd551975cf30ae02f85a90c5ee22.exe
"C:\Users\Admin\AppData\Local\Temp\931fdd551975cf30ae02f85a90c5ee22.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Local\Temp\gDichIeB.exe
"C:\Users\Admin\AppData\Local\Temp\gDichIeB.exe"
2⤵
- Executes dropped EXE
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 404
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\gDichIeB.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\gDichIeB.exe"
3⤵
- Creates scheduled task(s)
PID:2264

C:\Users\Admin\AppData\Local\Temp\gDichIeB.exe
C:\Users\Admin\AppData\Local\Temp\gDichIeB.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 588
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gDichIeB.exe
MD5
8b377bd11678351f77f18969a195dab4

SHA1
95f04cb44182840f36002e91aabfd25ffa03b45f

SHA256
59b2349a342acd43b45f8627da9efde914a6ace21ac9c711cb2e62eda115154f

SHA512
47a66ca9821a9ac6d893be3c6dbcda370ee7931873d0f50edc7b41f75037f9cf4db3e0158ffb127a97349d378da0bcce4cb5f0b02254d940c75d2b9b93feac83

Download Submit
C:\Users\Admin\AppData\Local\Temp\gDichIeB.exe
MD5
8b377bd11678351f77f18969a195dab4

SHA1
95f04cb44182840f36002e91aabfd25ffa03b45f

SHA256
59b2349a342acd43b45f8627da9efde914a6ace21ac9c711cb2e62eda115154f

SHA512
47a66ca9821a9ac6d893be3c6dbcda370ee7931873d0f50edc7b41f75037f9cf4db3e0158ffb127a97349d378da0bcce4cb5f0b02254d940c75d2b9b93feac83

Download Submit
C:\Users\Admin\AppData\Local\Temp\gDichIeB.exe
MD5
8b377bd11678351f77f18969a195dab4

SHA1
95f04cb44182840f36002e91aabfd25ffa03b45f

SHA256
59b2349a342acd43b45f8627da9efde914a6ace21ac9c711cb2e62eda115154f

SHA512
47a66ca9821a9ac6d893be3c6dbcda370ee7931873d0f50edc7b41f75037f9cf4db3e0158ffb127a97349d378da0bcce4cb5f0b02254d940c75d2b9b93feac83

Download Submit
memory/672-1-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/672-0-0x00000000007D6000-0x00000000007D7000-memory.dmp

Filesize
4KB

Download
memory/1000-10-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1000-15-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/2264-8-0x0000000000000000-mapping.dmp

Download
memory/2436-9-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2436-11-0x0000000000000000-mapping.dmp

Download
memory/2436-12-0x0000000000000000-mapping.dmp

Download
memory/2436-13-0x0000000000000000-mapping.dmp

Download
memory/2436-14-0x0000000000000000-mapping.dmp

Download
memory/2436-4-0x0000000000000000-mapping.dmp

Download
memory/2576-17-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3548-7-0x0000000000000000-mapping.dmp

Download
memory/3748-18-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/3748-19-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/3748-21-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/3748-25-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads