35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe

Analysis

Target

35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe.exe
Size

93KB
MD5

3ebea54d37ce5b28938586eb8cf3f988
SHA1

19b23a1f31e43a24525c0e7a895d62fbbd7b0ee6
SHA256

35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe
SHA512

b6972fb6f45e0471c6b3743089795ad57fa6063dda536b07aaccb925b235b028a3a2af527801d649d4f98d349b69332034b142c66c5dc4c09410b7dcc107d8c6

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

544 840 WerFault.exe 35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

544 WerFault.exe
544 WerFault.exe
544 WerFault.exe
544 WerFault.exe
544 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

544 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 544 WerFault.exe

pid	pid_target	process	target process
544	840	WerFault.exe	35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe.exe

pid	process
544	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	544	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe.exe

description	pid	process	target process
PID 840 wrote to memory of 544	840	35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe.exe	WerFault.exe
PID 840 wrote to memory of 544	840	35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe.exe	WerFault.exe
PID 840 wrote to memory of 544	840	35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe.exe	WerFault.exe
PID 840 wrote to memory of 544	840	35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe.exe
"C:\Users\Admin\AppData\Local\Temp\35061832b19b2266148ff7fb755676b4d29f7ad5c2c25d0a31541a226c61ffbe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 1456
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:544

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/544-56-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/840-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download