Analysis
-
max time kernel
132s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-05-2022 14:37
Static task
static1
Behavioral task
behavioral1
Sample
d9e817bfed5b63389936d9e61433b50d.exe
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
d9e817bfed5b63389936d9e61433b50d.exe
-
Size
347KB
-
MD5
d9e817bfed5b63389936d9e61433b50d
-
SHA1
43153e495ea1ac4cebdfb011585afd8f722d21e9
-
SHA256
21887d134ef45f8c4702d835a92111e905c94b4359b357f8ced432b80420d416
-
SHA512
de59e992915ecea7d765114a610cdebb3c198d945abdf73dec486eddfb15f3f6456f5e23a73baabe91692929c03537c323d033bc4d411361c12338374ef61660
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1528 1636 WerFault.exe d9e817bfed5b63389936d9e61433b50d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d9e817bfed5b63389936d9e61433b50d.exepid process 1636 d9e817bfed5b63389936d9e61433b50d.exe 1636 d9e817bfed5b63389936d9e61433b50d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d9e817bfed5b63389936d9e61433b50d.exedescription pid process Token: SeDebugPrivilege 1636 d9e817bfed5b63389936d9e61433b50d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9e817bfed5b63389936d9e61433b50d.exe"C:\Users\Admin\AppData\Local\Temp\d9e817bfed5b63389936d9e61433b50d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 18482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1636 -ip 16361⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1636-130-0x0000000002C6D000-0x0000000002C97000-memory.dmpFilesize
168KB
-
memory/1636-131-0x0000000004770000-0x00000000047A7000-memory.dmpFilesize
220KB
-
memory/1636-132-0x0000000000400000-0x0000000002B73000-memory.dmpFilesize
39.4MB
-
memory/1636-133-0x00000000074D0000-0x0000000007A74000-memory.dmpFilesize
5.6MB
-
memory/1636-134-0x0000000007A80000-0x0000000008098000-memory.dmpFilesize
6.1MB
-
memory/1636-135-0x0000000004D80000-0x0000000004D92000-memory.dmpFilesize
72KB
-
memory/1636-136-0x00000000072D0000-0x00000000073DA000-memory.dmpFilesize
1.0MB
-
memory/1636-137-0x0000000004EC0000-0x0000000004EFC000-memory.dmpFilesize
240KB
-
memory/1636-138-0x0000000008E70000-0x0000000008ED6000-memory.dmpFilesize
408KB
-
memory/1636-139-0x00000000091C0000-0x0000000009236000-memory.dmpFilesize
472KB
-
memory/1636-140-0x0000000009280000-0x0000000009312000-memory.dmpFilesize
584KB
-
memory/1636-141-0x00000000094B0000-0x00000000094CE000-memory.dmpFilesize
120KB
-
memory/1636-142-0x0000000009560000-0x0000000009722000-memory.dmpFilesize
1.8MB
-
memory/1636-143-0x0000000009730000-0x0000000009C5C000-memory.dmpFilesize
5.2MB