b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3

General

Target

b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe
Size

99KB
MD5

51b747992c160ffff02c9e577b8577c5
SHA1

6f661daab8849978d531451747228ec530bd2d96
SHA256

b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3
SHA512

28c7e34cbf906cd55af64e6226aa48b17b57984f1fc95d9c2c52a4cdb52ab90025e7f7fb2960456c93d6798a49a9882992bf3e2253929bef3b3cb72b9a268122
SSDEEP

1536:Wdb/vBxIdFlU0AfLhANuIj7Aw6RuNSHSNyszvlk1jEqoSWJY66dlaU26kxnDtoIJ:WnilMfONuXw6RuNDAsjlkDQC66DZGvJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
820	GammaXvid.exe

Loads dropped DLL 6 IoCs

pid	Process
1364	b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe
1364	b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1220	820	WerFault.exe	26

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 820	1364	b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe	26
PID 1364 wrote to memory of 820	1364	b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe	26
PID 1364 wrote to memory of 820	1364	b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe	26
PID 1364 wrote to memory of 820	1364	b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe	26
PID 820 wrote to memory of 1220	820	GammaXvid.exe	28
PID 820 wrote to memory of 1220	820	GammaXvid.exe	28
PID 820 wrote to memory of 1220	820	GammaXvid.exe	28
PID 820 wrote to memory of 1220	820	GammaXvid.exe	28

C:\Users\Admin\AppData\Local\Temp\b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe
"C:\Users\Admin\AppData\Local\Temp\b87d037030f0c70f74411c56163e9342748b76cd4d8ee2727ed672b8311efac3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\GammaXvid.exe
  C:\Users\Admin\AppData\Local\Temp\GammaXvid.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 396
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GammaXvid.exe

Filesize
45KB

MD5
95973a2b3f841b676126b406b704913d

SHA1
5a82d6292dfcff060b0ce46cfa66ed00f6071c1a

SHA256
e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d

SHA512
8794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d

Download Submit
\Users\Admin\AppData\Local\Temp\GammaXvid.exe

Filesize
45KB

MD5
95973a2b3f841b676126b406b704913d

SHA1
5a82d6292dfcff060b0ce46cfa66ed00f6071c1a

SHA256
e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d

SHA512
8794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d

Download Submit
\Users\Admin\AppData\Local\Temp\GammaXvid.exe

Filesize
45KB

MD5
95973a2b3f841b676126b406b704913d

SHA1
5a82d6292dfcff060b0ce46cfa66ed00f6071c1a

SHA256
e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d

SHA512
8794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d

Download Submit
\Users\Admin\AppData\Local\Temp\GammaXvid.exe

Filesize
45KB

MD5
95973a2b3f841b676126b406b704913d

SHA1
5a82d6292dfcff060b0ce46cfa66ed00f6071c1a

SHA256
e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d

SHA512
8794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d

Download Submit
\Users\Admin\AppData\Local\Temp\GammaXvid.exe

Filesize
45KB

MD5
95973a2b3f841b676126b406b704913d

SHA1
5a82d6292dfcff060b0ce46cfa66ed00f6071c1a

SHA256
e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d

SHA512
8794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d

Download Submit
\Users\Admin\AppData\Local\Temp\GammaXvid.exe

Filesize
45KB

MD5
95973a2b3f841b676126b406b704913d

SHA1
5a82d6292dfcff060b0ce46cfa66ed00f6071c1a

SHA256
e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d

SHA512
8794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d

Download Submit
\Users\Admin\AppData\Local\Temp\GammaXvid.exe

Filesize
45KB

MD5
95973a2b3f841b676126b406b704913d

SHA1
5a82d6292dfcff060b0ce46cfa66ed00f6071c1a

SHA256
e72ba5c311ceb6bd2d89352ff2b1af45aaaaaf87ee1b192cd094e66774af914d

SHA512
8794f222ab4d0438d487307ff042a92b2bd7820de664354a0158984f9baee93b035984f051a7f809dfaf84ceb160527f6b23a9d16372ed173e1bbd3a25cd947d

Download Submit
memory/820-65-0x0000000000160000-0x0000000000167000-memory.dmp

Filesize
28KB

Download
memory/820-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1364-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing