Overview

overview

10

Static

static

091e5232b9...2b.exe

windows7_x64

10

091e5232b9...2b.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    90s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    18-06-2022 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    091e5232b917a09910ef7fadc864bf2b.exe

  • Size

    422KB

  • MD5

    091e5232b917a09910ef7fadc864bf2b

  • SHA1

    c4daa3d7b3d5b5f29c7828f2500c40309718bad2

  • SHA256

    5031ef16176b528d27581a3ceb8b3c188a3907beee86108ccd445bbffbe44ed4

  • SHA512

    446e384b74e29306a41f051d38aa0dc2d1628957adad09533707d768ff6d4c0059d503617d80ade022fac91d1b09ebc8332b575ebfb63c0932fed89490eaa112

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\091e5232b917a09910ef7fadc864bf2b.exe
    "C:\Users\Admin\AppData\Local\Temp\091e5232b917a09910ef7fadc864bf2b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2492
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 1148
      2⤵
      • Program crash
      PID:2792
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2492 -ip 2492
    1⤵
      PID:2604

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2492-130-0x0000000002FAE000-0x0000000002FD8000-memory.dmp
      Filesize

      168KB

      Download
    • memory/2492-131-0x0000000002F20000-0x0000000002F57000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2492-132-0x0000000000400000-0x0000000002C87000-memory.dmp
      Filesize

      40.5MB

      Download
    • memory/2492-133-0x0000000007390000-0x0000000007934000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2492-134-0x0000000007970000-0x0000000007F88000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2492-135-0x0000000008020000-0x0000000008032000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2492-136-0x0000000008040000-0x000000000814A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2492-137-0x0000000008170000-0x00000000081AC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2492-138-0x0000000008470000-0x00000000084E6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2492-139-0x0000000008580000-0x0000000008612000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2492-140-0x0000000008720000-0x000000000873E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2492-141-0x00000000087B0000-0x0000000008816000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2492-142-0x0000000008ED0000-0x0000000009092000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2492-143-0x00000000090A0000-0x00000000095CC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2492-144-0x0000000002FAE000-0x0000000002FD8000-memory.dmp
      Filesize

      168KB

      Download
    • memory/2492-145-0x0000000002F20000-0x0000000002F57000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2492-146-0x0000000002FAE000-0x0000000002FD8000-memory.dmp
      Filesize

      168KB

      Download
    • memory/2492-147-0x0000000000400000-0x0000000002C87000-memory.dmp
      Filesize

      40.5MB

      Download