311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe
Size

4.7MB
MD5

dfadea302af88aa95c5e46d9c64b762a
SHA1

80f2a167f8933a0363139ae02934c2e9f72c3779
SHA256

311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f
SHA512

09292d20377bb68c5a8ac4ed977feb66ccbf7034f545c9fa64ef90ff55624cd6752da2f3a84e4326ef165ea6a6a8607605256563f6dd9bd50265de951a75b3f5
SSDEEP

98304:bLAcpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7:b/bFmS3VjVEOeTtJHbdnrz7

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1248	680	WerFault.exe	81
1456	680	WerFault.exe	81
3308	680	WerFault.exe	81
1868	680	WerFault.exe	81
2420	680	WerFault.exe	81
1652	680	WerFault.exe	81
228	680	WerFault.exe	81
1244	680	WerFault.exe	81
2932	680	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1644	wmic.exe
Token: SeSecurityPrivilege	1644	wmic.exe
Token: SeTakeOwnershipPrivilege	1644	wmic.exe
Token: SeLoadDriverPrivilege	1644	wmic.exe
Token: SeSystemProfilePrivilege	1644	wmic.exe
Token: SeSystemtimePrivilege	1644	wmic.exe
Token: SeProfSingleProcessPrivilege	1644	wmic.exe
Token: SeIncBasePriorityPrivilege	1644	wmic.exe
Token: SeCreatePagefilePrivilege	1644	wmic.exe
Token: SeBackupPrivilege	1644	wmic.exe
Token: SeRestorePrivilege	1644	wmic.exe
Token: SeShutdownPrivilege	1644	wmic.exe
Token: SeDebugPrivilege	1644	wmic.exe
Token: SeSystemEnvironmentPrivilege	1644	wmic.exe
Token: SeRemoteShutdownPrivilege	1644	wmic.exe
Token: SeUndockPrivilege	1644	wmic.exe
Token: SeManageVolumePrivilege	1644	wmic.exe
Token: 33	1644	wmic.exe
Token: 34	1644	wmic.exe
Token: 35	1644	wmic.exe
Token: 36	1644	wmic.exe
Token: SeIncreaseQuotaPrivilege	1644	wmic.exe
Token: SeSecurityPrivilege	1644	wmic.exe
Token: SeTakeOwnershipPrivilege	1644	wmic.exe
Token: SeLoadDriverPrivilege	1644	wmic.exe
Token: SeSystemProfilePrivilege	1644	wmic.exe
Token: SeSystemtimePrivilege	1644	wmic.exe
Token: SeProfSingleProcessPrivilege	1644	wmic.exe
Token: SeIncBasePriorityPrivilege	1644	wmic.exe
Token: SeCreatePagefilePrivilege	1644	wmic.exe
Token: SeBackupPrivilege	1644	wmic.exe
Token: SeRestorePrivilege	1644	wmic.exe
Token: SeShutdownPrivilege	1644	wmic.exe
Token: SeDebugPrivilege	1644	wmic.exe
Token: SeSystemEnvironmentPrivilege	1644	wmic.exe
Token: SeRemoteShutdownPrivilege	1644	wmic.exe
Token: SeUndockPrivilege	1644	wmic.exe
Token: SeManageVolumePrivilege	1644	wmic.exe
Token: 33	1644	wmic.exe
Token: 34	1644	wmic.exe
Token: 35	1644	wmic.exe
Token: 36	1644	wmic.exe
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe
Token: SeSecurityPrivilege	3208	WMIC.exe
Token: SeTakeOwnershipPrivilege	3208	WMIC.exe
Token: SeLoadDriverPrivilege	3208	WMIC.exe
Token: SeSystemProfilePrivilege	3208	WMIC.exe
Token: SeSystemtimePrivilege	3208	WMIC.exe
Token: SeProfSingleProcessPrivilege	3208	WMIC.exe
Token: SeIncBasePriorityPrivilege	3208	WMIC.exe
Token: SeCreatePagefilePrivilege	3208	WMIC.exe
Token: SeBackupPrivilege	3208	WMIC.exe
Token: SeRestorePrivilege	3208	WMIC.exe
Token: SeShutdownPrivilege	3208	WMIC.exe
Token: SeDebugPrivilege	3208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3208	WMIC.exe
Token: SeRemoteShutdownPrivilege	3208	WMIC.exe
Token: SeUndockPrivilege	3208	WMIC.exe
Token: SeManageVolumePrivilege	3208	WMIC.exe
Token: 33	3208	WMIC.exe
Token: 34	3208	WMIC.exe
Token: 35	3208	WMIC.exe
Token: 36	3208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 1644	680	311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe	94
PID 680 wrote to memory of 1644	680	311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe	94
PID 680 wrote to memory of 1644	680	311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe	94
PID 680 wrote to memory of 3516	680	311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe	101
PID 680 wrote to memory of 3516	680	311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe	101
PID 680 wrote to memory of 3516	680	311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe	101
PID 3516 wrote to memory of 3208	3516	cmd.exe	103
PID 3516 wrote to memory of 3208	3516	cmd.exe	103
PID 3516 wrote to memory of 3208	3516	cmd.exe	103
PID 680 wrote to memory of 3160	680	311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe	104
PID 680 wrote to memory of 3160	680	311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe	104
PID 680 wrote to memory of 3160	680	311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe	104
PID 3160 wrote to memory of 3464	3160	cmd.exe	106
PID 3160 wrote to memory of 3464	3160	cmd.exe	106
PID 3160 wrote to memory of 3464	3160	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe
"C:\Users\Admin\AppData\Local\Temp\311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 536
  2⤵
  - Program crash
  PID:1248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 560
  2⤵
  - Program crash
  PID:1456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 540
  2⤵
  - Program crash
  PID:3308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 644
  2⤵
  - Program crash
  PID:1868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 760
  2⤵
  - Program crash
  PID:2420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 844
  2⤵
  - Program crash
  PID:1652
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 1304
  2⤵
  - Program crash
  PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 1360
  2⤵
  - Program crash
  PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3208
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:3464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 140
  2⤵
  - Program crash
  PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 680 -ip 680
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 680 -ip 680
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 680 -ip 680
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 680 -ip 680
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 680 -ip 680
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 680 -ip 680
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 680 -ip 680
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 680 -ip 680
1⤵
PID:476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 680 -ip 680
1⤵
PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-132-0x0000000003110000-0x0000000003557000-memory.dmp

Filesize
4.3MB

Download
memory/680-133-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/680-135-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/680-140-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download