Overview

overview

10

Static

static

8ac1ff8f30...8d.exe

windows7_x64

10

8ac1ff8f30...8d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    11-02-2022 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe

  • Size

    375KB

  • MD5

    32816da2c4b57793f943d58058d9abec

  • SHA1

    2b7ec6b605cabf7c1156abb99640d30c6567203d

  • SHA256

    8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d

  • SHA512

    634bf6e5350d5b041b093fb49c330533c0ebb42105bc386b941ab7e3c619122418b905410a660517a99e12574c78f8ddf4b5bf1f21b73233678cda0842ff94bf

Score
10/10
discoveryspywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 9 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe
    "C:\Users\Admin\AppData\Local\Temp\8ac1ff8f3045a819c8bc2b7e6f11eef96117f8e11b81f97a1c5ac72cc807458d.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4820
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1244
      2⤵
      • Drops file in Windows directory
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3536
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4988
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2092
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4820 -ip 4820
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:3392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4820-145-0x0000000007514000-0x0000000007516000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4820-132-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4820-140-0x0000000007AD0000-0x00000000080E8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4820-133-0x0000000074CEE000-0x0000000074CEF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4820-134-0x0000000007510000-0x0000000007511000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4820-135-0x0000000007512000-0x0000000007513000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4820-136-0x0000000007513000-0x0000000007514000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4820-137-0x0000000007520000-0x0000000007AC4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4820-142-0x0000000007430000-0x0000000007442000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4820-150-0x0000000008ED0000-0x0000000009092000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4820-151-0x00000000090A0000-0x00000000095CC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4820-131-0x0000000004870000-0x00000000048A9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4820-149-0x0000000008CF0000-0x0000000008D0E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4820-143-0x00000000080F0000-0x00000000081FA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4820-144-0x0000000007470000-0x00000000074AC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4820-130-0x0000000004840000-0x000000000486B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/4820-146-0x0000000008480000-0x00000000084E6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4820-147-0x0000000008B20000-0x0000000008BB2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4820-148-0x0000000008BD0000-0x0000000008C46000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4988-138-0x00000214C4720000-0x00000214C4730000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-139-0x00000214C4780000-0x00000214C4790000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-141-0x00000214C6E40000-0x00000214C6E44000-memory.dmp
    Filesize

    16KB

    Download