Analysis
-
max time kernel
140s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-05-2022 11:33
Static task
static1
Behavioral task
behavioral1
Sample
86fc141655ef3842be861de3ad4f566d.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
86fc141655ef3842be861de3ad4f566d.exe
-
Size
330KB
-
MD5
86fc141655ef3842be861de3ad4f566d
-
SHA1
626fe12a4a925355053d1a0cd70e9eedaea6fc0e
-
SHA256
b86b2701c8e065a75b55d8a8fcf6cc980e21d5587e7f2a9def7bfdbdcc386651
-
SHA512
a5453ae840855523e728c33df3abe9e7230aa6d9a63305fea3de6433dbba188e98de4dc978948023b890009c0b1c515496bfd8818d27827bfdfad09bf494edf0
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4076 3764 WerFault.exe 86fc141655ef3842be861de3ad4f566d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
86fc141655ef3842be861de3ad4f566d.exepid process 3764 86fc141655ef3842be861de3ad4f566d.exe 3764 86fc141655ef3842be861de3ad4f566d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
86fc141655ef3842be861de3ad4f566d.exedescription pid process Token: SeDebugPrivilege 3764 86fc141655ef3842be861de3ad4f566d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86fc141655ef3842be861de3ad4f566d.exe"C:\Users\Admin\AppData\Local\Temp\86fc141655ef3842be861de3ad4f566d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 19282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3764 -ip 37641⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3764-130-0x00000000005BD000-0x00000000005E7000-memory.dmpFilesize
168KB
-
memory/3764-131-0x0000000002110000-0x0000000002147000-memory.dmpFilesize
220KB
-
memory/3764-132-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/3764-133-0x0000000004B90000-0x0000000005134000-memory.dmpFilesize
5.6MB
-
memory/3764-134-0x00000000051B0000-0x00000000057C8000-memory.dmpFilesize
6.1MB
-
memory/3764-135-0x0000000005870000-0x0000000005882000-memory.dmpFilesize
72KB
-
memory/3764-136-0x0000000005890000-0x000000000599A000-memory.dmpFilesize
1.0MB
-
memory/3764-137-0x00000000059A0000-0x00000000059DC000-memory.dmpFilesize
240KB
-
memory/3764-138-0x0000000006920000-0x0000000006996000-memory.dmpFilesize
472KB
-
memory/3764-139-0x00000000069D0000-0x0000000006A62000-memory.dmpFilesize
584KB
-
memory/3764-140-0x0000000006AF0000-0x0000000006B0E000-memory.dmpFilesize
120KB
-
memory/3764-141-0x0000000006CF0000-0x0000000006D56000-memory.dmpFilesize
408KB
-
memory/3764-142-0x0000000007320000-0x00000000074E2000-memory.dmpFilesize
1.8MB
-
memory/3764-143-0x00000000074F0000-0x0000000007A1C000-memory.dmpFilesize
5.2MB