f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7

General

Target

f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
Size

324KB
MD5

bda20d0177640d129ace7394841fe5c0
SHA1

3c8c531a28901ce5f3a6eb9b5ac1c353bfc73f87
SHA256

f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7
SHA512

bfaedf705c5bdb3b8b4aa63b18a20e9336ee77999e3637f3677f3aa1623270e5b9dbb62bcd1d1b338979c391cb38d4b127544120804ac42e1c515b0776d02e9e

Score

10^/10

spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3284 created 4696 3284 WerFault.exe f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
Loads dropped DLL 1 IoCs

Processes:

f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe

pid process

4696 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3284 4696 WerFault.exe f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe

description	pid	process	target process
PID 3284 created 4696	3284	WerFault.exe	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe

pid	pid_target	process	target process
3284	4696	WerFault.exe	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exeWerFault.exe

pid	process
4696	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
4696	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
4696	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
4696	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
4696	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe
3284	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4696	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
Token: SeRestorePrivilege	3284	WerFault.exe
Token: SeBackupPrivilege	3284	WerFault.exe
Token: SeDebugPrivilege	3284	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
"C:\Users\Admin\AppData\Local\Temp\f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1360
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\10d99b49-052f-4ada-adab-4c003fc333e5\AgileDotNetRT.dll
MD5
edd74be9723cdc6a5692954f0e51c9f3

SHA1
e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686

SHA256
55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7

SHA512
80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

Download Submit
memory/4696-114-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/4696-117-0x0000000072A90000-0x0000000072B10000-memory.dmp

Filesize
512KB

Download
memory/4696-118-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/4696-119-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/4696-120-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/4696-121-0x0000000004B93000-0x0000000004B95000-memory.dmp

Filesize
8KB

Download
memory/4696-122-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/4696-123-0x0000000004B95000-0x0000000004B96000-memory.dmp

Filesize
4KB

Download
memory/4696-124-0x0000000004B96000-0x0000000004B97000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing