Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 13:05
Static task
static1
General
-
Target
a0f1f26dfa145a1e0d273530c17619618fcb09024e7f6f867d4aa96dff4ce29b.exe
-
Size
407KB
-
MD5
16ba7060655c5102698ed9bc4cd14477
-
SHA1
a221c5a7bdebbd05cbd933173d9c2a36a505cc9d
-
SHA256
a0f1f26dfa145a1e0d273530c17619618fcb09024e7f6f867d4aa96dff4ce29b
-
SHA512
ee693e9f30b5e5f2297911ead841da24065cd2c95e2fff8286c515f06d666d14a0224363ce88de5a62bd6c4f8305f0ba7adf8c9ef3fca35a59787701c111db4c
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 224 4648 WerFault.exe a0f1f26dfa145a1e0d273530c17619618fcb09024e7f6f867d4aa96dff4ce29b.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a0f1f26dfa145a1e0d273530c17619618fcb09024e7f6f867d4aa96dff4ce29b.exepid process 4648 a0f1f26dfa145a1e0d273530c17619618fcb09024e7f6f867d4aa96dff4ce29b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a0f1f26dfa145a1e0d273530c17619618fcb09024e7f6f867d4aa96dff4ce29b.exedescription pid process Token: SeDebugPrivilege 4648 a0f1f26dfa145a1e0d273530c17619618fcb09024e7f6f867d4aa96dff4ce29b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0f1f26dfa145a1e0d273530c17619618fcb09024e7f6f867d4aa96dff4ce29b.exe"C:\Users\Admin\AppData\Local\Temp\a0f1f26dfa145a1e0d273530c17619618fcb09024e7f6f867d4aa96dff4ce29b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 12802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4648 -ip 46481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4648-130-0x0000000000822000-0x000000000084C000-memory.dmpFilesize
168KB
-
memory/4648-131-0x0000000000790000-0x00000000007C7000-memory.dmpFilesize
220KB
-
memory/4648-132-0x0000000000400000-0x00000000004A7000-memory.dmpFilesize
668KB
-
memory/4648-133-0x0000000004CF0000-0x0000000005294000-memory.dmpFilesize
5.6MB
-
memory/4648-134-0x00000000052A0000-0x00000000058B8000-memory.dmpFilesize
6.1MB
-
memory/4648-135-0x0000000004C50000-0x0000000004C62000-memory.dmpFilesize
72KB
-
memory/4648-136-0x00000000058C0000-0x00000000059CA000-memory.dmpFilesize
1.0MB
-
memory/4648-137-0x0000000004C70000-0x0000000004CAC000-memory.dmpFilesize
240KB
-
memory/4648-138-0x00000000067A0000-0x0000000006832000-memory.dmpFilesize
584KB
-
memory/4648-139-0x0000000006860000-0x00000000068C6000-memory.dmpFilesize
408KB
-
memory/4648-140-0x0000000006BE0000-0x0000000006C56000-memory.dmpFilesize
472KB
-
memory/4648-141-0x0000000006CB0000-0x0000000006CCE000-memory.dmpFilesize
120KB
-
memory/4648-142-0x0000000006EB0000-0x0000000007072000-memory.dmpFilesize
1.8MB
-
memory/4648-143-0x0000000007080000-0x00000000075AC000-memory.dmpFilesize
5.2MB