Analysis
-
max time kernel
164s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2022 08:37
Static task
static1
Behavioral task
behavioral1
Sample
a627d0e346fcbf98c5fa6853a9b91ebc.exe
Resource
win7-20220718-en
General
-
Target
a627d0e346fcbf98c5fa6853a9b91ebc.exe
-
Size
414KB
-
MD5
a627d0e346fcbf98c5fa6853a9b91ebc
-
SHA1
3710195b1603236cd7e217bb39f62a85433af7bd
-
SHA256
c0e52ade412fef542b58dc361fa58884c83d372d814f0eccf7431d6164c91ad1
-
SHA512
48e05079bbf1ae6ff2cc33b22940d5ae8c7de11cac48b03ba1a40c151642a6d14746a4f7d143f16a0f82192b750c100165f837fc9c6a8b348174b765e42753c0
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1920 3044 WerFault.exe a627d0e346fcbf98c5fa6853a9b91ebc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a627d0e346fcbf98c5fa6853a9b91ebc.exepid process 3044 a627d0e346fcbf98c5fa6853a9b91ebc.exe 3044 a627d0e346fcbf98c5fa6853a9b91ebc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a627d0e346fcbf98c5fa6853a9b91ebc.exedescription pid process Token: SeDebugPrivilege 3044 a627d0e346fcbf98c5fa6853a9b91ebc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a627d0e346fcbf98c5fa6853a9b91ebc.exe"C:\Users\Admin\AppData\Local\Temp\a627d0e346fcbf98c5fa6853a9b91ebc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 25242⤵
- Program crash
PID:1920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3044 -ip 30441⤵PID:4604
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3044-130-0x000000000052E000-0x0000000000558000-memory.dmpFilesize
168KB
-
memory/3044-131-0x00000000021C0000-0x00000000021F8000-memory.dmpFilesize
224KB
-
memory/3044-132-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3044-133-0x0000000004DF0000-0x0000000005394000-memory.dmpFilesize
5.6MB
-
memory/3044-134-0x00000000053A0000-0x00000000059B8000-memory.dmpFilesize
6.1MB
-
memory/3044-135-0x0000000004C40000-0x0000000004C52000-memory.dmpFilesize
72KB
-
memory/3044-136-0x0000000004C60000-0x0000000004D6A000-memory.dmpFilesize
1.0MB
-
memory/3044-137-0x0000000004D90000-0x0000000004DCC000-memory.dmpFilesize
240KB
-
memory/3044-138-0x00000000068E0000-0x0000000006972000-memory.dmpFilesize
584KB
-
memory/3044-139-0x0000000006990000-0x00000000069F6000-memory.dmpFilesize
408KB
-
memory/3044-140-0x0000000006CF0000-0x0000000006D66000-memory.dmpFilesize
472KB
-
memory/3044-141-0x0000000006DF0000-0x0000000006E0E000-memory.dmpFilesize
120KB
-
memory/3044-142-0x0000000007130000-0x0000000007180000-memory.dmpFilesize
320KB
-
memory/3044-143-0x0000000007380000-0x0000000007542000-memory.dmpFilesize
1.8MB
-
memory/3044-144-0x0000000007550000-0x0000000007A7C000-memory.dmpFilesize
5.2MB
-
memory/3044-145-0x000000000052E000-0x0000000000558000-memory.dmpFilesize
168KB
-
memory/3044-146-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB