Analysis
-
max time kernel
136s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 16:44
Static task
static1
General
-
Target
e0109e0fb908d09db12eaf8b9fd08525a25d5941a9ab9da0d730c51e4185a39c.exe
-
Size
407KB
-
MD5
ccfaf8678bfe1ecd0a4dc16d225195f4
-
SHA1
90f58e42214bafea1e0825d181b915ec3c7304c3
-
SHA256
e0109e0fb908d09db12eaf8b9fd08525a25d5941a9ab9da0d730c51e4185a39c
-
SHA512
991277fffa77b3488e06255e5c0b9572cbd18b3f7320cc2efc96d43736883cc9c84ce403dc204316dc93be3088ed9d7f057b798835f364313a5f55b3e113f9e1
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2352 4028 WerFault.exe e0109e0fb908d09db12eaf8b9fd08525a25d5941a9ab9da0d730c51e4185a39c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e0109e0fb908d09db12eaf8b9fd08525a25d5941a9ab9da0d730c51e4185a39c.exepid process 4028 e0109e0fb908d09db12eaf8b9fd08525a25d5941a9ab9da0d730c51e4185a39c.exe 4028 e0109e0fb908d09db12eaf8b9fd08525a25d5941a9ab9da0d730c51e4185a39c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e0109e0fb908d09db12eaf8b9fd08525a25d5941a9ab9da0d730c51e4185a39c.exedescription pid process Token: SeDebugPrivilege 4028 e0109e0fb908d09db12eaf8b9fd08525a25d5941a9ab9da0d730c51e4185a39c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0109e0fb908d09db12eaf8b9fd08525a25d5941a9ab9da0d730c51e4185a39c.exe"C:\Users\Admin\AppData\Local\Temp\e0109e0fb908d09db12eaf8b9fd08525a25d5941a9ab9da0d730c51e4185a39c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 19162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4028 -ip 40281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4028-130-0x0000000000642000-0x000000000066C000-memory.dmpFilesize
168KB
-
memory/4028-131-0x00000000020F0000-0x0000000002127000-memory.dmpFilesize
220KB
-
memory/4028-132-0x0000000000400000-0x00000000004A7000-memory.dmpFilesize
668KB
-
memory/4028-133-0x0000000004AB0000-0x0000000005054000-memory.dmpFilesize
5.6MB
-
memory/4028-134-0x0000000005060000-0x0000000005678000-memory.dmpFilesize
6.1MB
-
memory/4028-135-0x00000000056F0000-0x0000000005702000-memory.dmpFilesize
72KB
-
memory/4028-136-0x0000000005710000-0x000000000581A000-memory.dmpFilesize
1.0MB
-
memory/4028-137-0x0000000005820000-0x000000000585C000-memory.dmpFilesize
240KB
-
memory/4028-138-0x0000000005B30000-0x0000000005BA6000-memory.dmpFilesize
472KB
-
memory/4028-139-0x0000000005BE0000-0x0000000005C72000-memory.dmpFilesize
584KB
-
memory/4028-140-0x0000000005DE0000-0x0000000005DFE000-memory.dmpFilesize
120KB
-
memory/4028-141-0x0000000005E50000-0x0000000005EB6000-memory.dmpFilesize
408KB
-
memory/4028-142-0x0000000006570000-0x0000000006732000-memory.dmpFilesize
1.8MB
-
memory/4028-143-0x0000000006760000-0x0000000006C8C000-memory.dmpFilesize
5.2MB