fd4d1fc83330c5cf818e557ef882ca147ba98fee4128fe00bda07c6c2f79050a

Analysis

Target

48fl6271oClv7lfnOsBHvbLy.exe
Size

900KB
MD5

22f5d12116ee1c11f3173f977bafc744
SHA1

f923b684397cb158ebd77b3d2a8e0365992867db
SHA256

fd4d1fc83330c5cf818e557ef882ca147ba98fee4128fe00bda07c6c2f79050a
SHA512

f628a0a9ebc0aa1c60e8a7bba9433bcf14216be064288aaf253965935d6b8ee310df11a72f559877cbfb3bb2aedb6c710f8d017ef8f36cfc5f71010de433500f

Score

10^/10

spyware stealer

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 812 created 1768	812	WerFault.exe	68

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
812	1768	WerFault.exe	68

Suspicious behavior: EnumeratesProcesses 13 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	812	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\48fl6271oClv7lfnOsBHvbLy.exe
"C:\Users\Admin\AppData\Local\Temp\48fl6271oClv7lfnOsBHvbLy.exe"
1⤵
PID:1768
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1768 -s 840
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:812

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1768-116-0x0000020493D00000-0x0000020493E61000-memory.dmp

Filesize
1.4MB

Download
memory/1768-115-0x0000020493EA0000-0x0000020493FFB000-memory.dmp

Filesize
1.4MB

Download