Analysis
-
max time kernel
91s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 17:46
Static task
static1
Behavioral task
behavioral1
Sample
b83fd52056dc4354b56c8c3b22f8918c99991d5029db5ae55d66b82963fc1ed5.exe
Resource
win7-20220414-en
General
-
Target
b83fd52056dc4354b56c8c3b22f8918c99991d5029db5ae55d66b82963fc1ed5.exe
-
Size
384KB
-
MD5
138b3fe6de98eabb5f0f2cac7cd9bae2
-
SHA1
040625bdf94d8faf02c182fd509478a34821cca9
-
SHA256
b83fd52056dc4354b56c8c3b22f8918c99991d5029db5ae55d66b82963fc1ed5
-
SHA512
1f7cd1a2990602b4dc25bacab8622ebc6895c43f78f80a9522e529618330c47a1641bb17c0dd526f673017e5e55be2369b558753df83d71e0315110bc1f7f71b
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1460 2160 WerFault.exe b83fd52056dc4354b56c8c3b22f8918c99991d5029db5ae55d66b82963fc1ed5.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b83fd52056dc4354b56c8c3b22f8918c99991d5029db5ae55d66b82963fc1ed5.exepid process 2160 b83fd52056dc4354b56c8c3b22f8918c99991d5029db5ae55d66b82963fc1ed5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b83fd52056dc4354b56c8c3b22f8918c99991d5029db5ae55d66b82963fc1ed5.exedescription pid process Token: SeDebugPrivilege 2160 b83fd52056dc4354b56c8c3b22f8918c99991d5029db5ae55d66b82963fc1ed5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b83fd52056dc4354b56c8c3b22f8918c99991d5029db5ae55d66b82963fc1ed5.exe"C:\Users\Admin\AppData\Local\Temp\b83fd52056dc4354b56c8c3b22f8918c99991d5029db5ae55d66b82963fc1ed5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 24522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2160 -ip 21601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2160-130-0x0000000007430000-0x00000000079D4000-memory.dmpFilesize
5.6MB
-
memory/2160-131-0x0000000002E2E000-0x0000000002E58000-memory.dmpFilesize
168KB
-
memory/2160-132-0x00000000048B0000-0x00000000048E7000-memory.dmpFilesize
220KB
-
memory/2160-133-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/2160-134-0x00000000079E0000-0x0000000007FF8000-memory.dmpFilesize
6.1MB
-
memory/2160-135-0x0000000004FD0000-0x0000000004FE2000-memory.dmpFilesize
72KB
-
memory/2160-136-0x0000000008000000-0x000000000810A000-memory.dmpFilesize
1.0MB
-
memory/2160-137-0x0000000007370000-0x00000000073AC000-memory.dmpFilesize
240KB
-
memory/2160-138-0x0000000008E70000-0x0000000008F02000-memory.dmpFilesize
584KB
-
memory/2160-139-0x0000000008F30000-0x0000000008F96000-memory.dmpFilesize
408KB
-
memory/2160-140-0x00000000092B0000-0x0000000009326000-memory.dmpFilesize
472KB
-
memory/2160-141-0x0000000009380000-0x000000000939E000-memory.dmpFilesize
120KB
-
memory/2160-142-0x00000000096B0000-0x0000000009872000-memory.dmpFilesize
1.8MB
-
memory/2160-143-0x0000000009A80000-0x0000000009FAC000-memory.dmpFilesize
5.2MB