55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd

Analysis

max time kernel
55s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe
Size

4.7MB
MD5

95b3db782cd79a1b4f92f8b493351630
SHA1

493a19b8ebbb70b4a20022a6843af9b782c28737
SHA256

55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd
SHA512

0187dbfda9268224e3f2545d87a452335ca479b8dab000c38675aebb84c04e686595cf5a2b06fa73cbc6a89af340b8c8e049fe1622fa47d48789dfbae98edff4
SSDEEP

98304:bLAQpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7:bLbFmS3VjVEOeTtJHbdnrz7

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1224	4740	WerFault.exe	81
4196	4740	WerFault.exe	81
3540	4740	WerFault.exe	81
1492	4740	WerFault.exe	81
1052	4740	WerFault.exe	81
3100	4740	WerFault.exe	81
1396	4740	WerFault.exe	81
1152	4740	WerFault.exe	81
5088	4740	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	116	wmic.exe
Token: SeSecurityPrivilege	116	wmic.exe
Token: SeTakeOwnershipPrivilege	116	wmic.exe
Token: SeLoadDriverPrivilege	116	wmic.exe
Token: SeSystemProfilePrivilege	116	wmic.exe
Token: SeSystemtimePrivilege	116	wmic.exe
Token: SeProfSingleProcessPrivilege	116	wmic.exe
Token: SeIncBasePriorityPrivilege	116	wmic.exe
Token: SeCreatePagefilePrivilege	116	wmic.exe
Token: SeBackupPrivilege	116	wmic.exe
Token: SeRestorePrivilege	116	wmic.exe
Token: SeShutdownPrivilege	116	wmic.exe
Token: SeDebugPrivilege	116	wmic.exe
Token: SeSystemEnvironmentPrivilege	116	wmic.exe
Token: SeRemoteShutdownPrivilege	116	wmic.exe
Token: SeUndockPrivilege	116	wmic.exe
Token: SeManageVolumePrivilege	116	wmic.exe
Token: 33	116	wmic.exe
Token: 34	116	wmic.exe
Token: 35	116	wmic.exe
Token: 36	116	wmic.exe
Token: SeIncreaseQuotaPrivilege	116	wmic.exe
Token: SeSecurityPrivilege	116	wmic.exe
Token: SeTakeOwnershipPrivilege	116	wmic.exe
Token: SeLoadDriverPrivilege	116	wmic.exe
Token: SeSystemProfilePrivilege	116	wmic.exe
Token: SeSystemtimePrivilege	116	wmic.exe
Token: SeProfSingleProcessPrivilege	116	wmic.exe
Token: SeIncBasePriorityPrivilege	116	wmic.exe
Token: SeCreatePagefilePrivilege	116	wmic.exe
Token: SeBackupPrivilege	116	wmic.exe
Token: SeRestorePrivilege	116	wmic.exe
Token: SeShutdownPrivilege	116	wmic.exe
Token: SeDebugPrivilege	116	wmic.exe
Token: SeSystemEnvironmentPrivilege	116	wmic.exe
Token: SeRemoteShutdownPrivilege	116	wmic.exe
Token: SeUndockPrivilege	116	wmic.exe
Token: SeManageVolumePrivilege	116	wmic.exe
Token: 33	116	wmic.exe
Token: 34	116	wmic.exe
Token: 35	116	wmic.exe
Token: 36	116	wmic.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: 36	2216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 116	4740	55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe	97
PID 4740 wrote to memory of 116	4740	55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe	97
PID 4740 wrote to memory of 116	4740	55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe	97
PID 4740 wrote to memory of 4244	4740	55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe	106
PID 4740 wrote to memory of 4244	4740	55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe	106
PID 4740 wrote to memory of 4244	4740	55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe	106
PID 4244 wrote to memory of 2216	4244	cmd.exe	108
PID 4244 wrote to memory of 2216	4244	cmd.exe	108
PID 4244 wrote to memory of 2216	4244	cmd.exe	108
PID 4740 wrote to memory of 3204	4740	55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe	109
PID 4740 wrote to memory of 3204	4740	55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe	109
PID 4740 wrote to memory of 3204	4740	55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe	109
PID 3204 wrote to memory of 2660	3204	cmd.exe	111
PID 3204 wrote to memory of 2660	3204	cmd.exe	111
PID 3204 wrote to memory of 2660	3204	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe
"C:\Users\Admin\AppData\Local\Temp\55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 536
  2⤵
  - Program crash
  PID:1224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 560
  2⤵
  - Program crash
  PID:4196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 540
  2⤵
  - Program crash
  PID:3540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 616
  2⤵
  - Program crash
  PID:1492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 636
  2⤵
  - Program crash
  PID:1052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 812
  2⤵
  - Program crash
  PID:3100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1292
  2⤵
  - Program crash
  PID:1396
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1328
  2⤵
  - Program crash
  PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:2660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 140
  2⤵
  - Program crash
  PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4740 -ip 4740
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4740 -ip 4740
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4740 -ip 4740
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4740 -ip 4740
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4740 -ip 4740
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4740 -ip 4740
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4740 -ip 4740
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4740 -ip 4740
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4740 -ip 4740
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4740-132-0x0000000003100000-0x0000000003547000-memory.dmp

Filesize
4.3MB

Download
memory/4740-133-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/4740-137-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/4740-140-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download