37435a8ec0f7afabf767e08c57f5d0fcd7fbf1aa7cb6eab24c4178bdc40ffe01

Analysis

Target

37435a8ec0f7afabf767e08c57f5d0fcd7fbf1aa7cb6eab24c4178bdc40ffe01.exe
Size

501KB
MD5

2af3125fe1dc2d872ae96fa898d31025
SHA1

520276bd895559d8cac8ba9829d467521a7b764e
SHA256

37435a8ec0f7afabf767e08c57f5d0fcd7fbf1aa7cb6eab24c4178bdc40ffe01
SHA512

8a497dd8fe4859f2f5f749bebdbac392fd40c051075e710504c51687ef9e8e008fb3294b36d666d46d36c73caa93748b25151239c96e4452be02ef1c0d4eb0b3

Score

7^/10

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

37435a8ec0f7afabf767e08c57f5d0fcd7fbf1aa7cb6eab24c4178bdc40ffe01.exe

pid	process
3416	37435a8ec0f7afabf767e08c57f5d0fcd7fbf1aa7cb6eab24c4178bdc40ffe01.exe
3416	37435a8ec0f7afabf767e08c57f5d0fcd7fbf1aa7cb6eab24c4178bdc40ffe01.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4848 3416 WerFault.exe 37435a8ec0f7afabf767e08c57f5d0fcd7fbf1aa7cb6eab24c4178bdc40ffe01.exe

pid	pid_target	process	target process
4848	3416	WerFault.exe	37435a8ec0f7afabf767e08c57f5d0fcd7fbf1aa7cb6eab24c4178bdc40ffe01.exe

C:\Users\Admin\AppData\Local\Temp\37435a8ec0f7afabf767e08c57f5d0fcd7fbf1aa7cb6eab24c4178bdc40ffe01.exe
"C:\Users\Admin\AppData\Local\Temp\37435a8ec0f7afabf767e08c57f5d0fcd7fbf1aa7cb6eab24c4178bdc40ffe01.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1232
2⤵
- Program crash
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3416 -ip 3416
1⤵
PID:1340

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/3416-130-0x0000000000675000-0x00000000006B0000-memory.dmp

Filesize
236KB

Download
memory/3416-131-0x0000000000675000-0x00000000006B0000-memory.dmp

Filesize
236KB

Download
memory/3416-132-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3416-133-0x0000000000675000-0x00000000006B0000-memory.dmp

Filesize
236KB

Download
memory/3416-134-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3416-135-0x00000000739A0000-0x00000000739D9000-memory.dmp

Filesize
228KB

Download
memory/3416-136-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3416-137-0x00000000739A0000-0x00000000739D9000-memory.dmp

Filesize
228KB

Download