77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49

Analysis

max time kernel
62s
max time network
67s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
04/10/2022, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe
Size

4.7MB
MD5

07510c01fd38553fe8146cd16293a733
SHA1

3b6b6d9b494ea46ca9b8815a842be0423ec5a9cc
SHA256

77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49
SHA512

ca63fd0bbfbe4d748a98607790f8c78c50868da05eb1ce49e1fc4fa8c562114d637c0f3cace15f4dc80df4f39faa0597bcd30eb740daa7b3f8c78059f69a86ae
SSDEEP

98304:bLAkpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7:b/bFmS3VjVEOeTtJHbdnrz7

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3032	1788	WerFault.exe	65
4540	1788	WerFault.exe	65
4640	1788	WerFault.exe	65
4816	1788	WerFault.exe	65
2768	1788	WerFault.exe	65
3244	1788	WerFault.exe	65
5104	1788	WerFault.exe	65
2204	1788	WerFault.exe	65
300	1788	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5008	wmic.exe
Token: SeSecurityPrivilege	5008	wmic.exe
Token: SeTakeOwnershipPrivilege	5008	wmic.exe
Token: SeLoadDriverPrivilege	5008	wmic.exe
Token: SeSystemProfilePrivilege	5008	wmic.exe
Token: SeSystemtimePrivilege	5008	wmic.exe
Token: SeProfSingleProcessPrivilege	5008	wmic.exe
Token: SeIncBasePriorityPrivilege	5008	wmic.exe
Token: SeCreatePagefilePrivilege	5008	wmic.exe
Token: SeBackupPrivilege	5008	wmic.exe
Token: SeRestorePrivilege	5008	wmic.exe
Token: SeShutdownPrivilege	5008	wmic.exe
Token: SeDebugPrivilege	5008	wmic.exe
Token: SeSystemEnvironmentPrivilege	5008	wmic.exe
Token: SeRemoteShutdownPrivilege	5008	wmic.exe
Token: SeUndockPrivilege	5008	wmic.exe
Token: SeManageVolumePrivilege	5008	wmic.exe
Token: 33	5008	wmic.exe
Token: 34	5008	wmic.exe
Token: 35	5008	wmic.exe
Token: 36	5008	wmic.exe
Token: SeIncreaseQuotaPrivilege	5008	wmic.exe
Token: SeSecurityPrivilege	5008	wmic.exe
Token: SeTakeOwnershipPrivilege	5008	wmic.exe
Token: SeLoadDriverPrivilege	5008	wmic.exe
Token: SeSystemProfilePrivilege	5008	wmic.exe
Token: SeSystemtimePrivilege	5008	wmic.exe
Token: SeProfSingleProcessPrivilege	5008	wmic.exe
Token: SeIncBasePriorityPrivilege	5008	wmic.exe
Token: SeCreatePagefilePrivilege	5008	wmic.exe
Token: SeBackupPrivilege	5008	wmic.exe
Token: SeRestorePrivilege	5008	wmic.exe
Token: SeShutdownPrivilege	5008	wmic.exe
Token: SeDebugPrivilege	5008	wmic.exe
Token: SeSystemEnvironmentPrivilege	5008	wmic.exe
Token: SeRemoteShutdownPrivilege	5008	wmic.exe
Token: SeUndockPrivilege	5008	wmic.exe
Token: SeManageVolumePrivilege	5008	wmic.exe
Token: 33	5008	wmic.exe
Token: 34	5008	wmic.exe
Token: 35	5008	wmic.exe
Token: 36	5008	wmic.exe
Token: SeIncreaseQuotaPrivilege	4432	WMIC.exe
Token: SeSecurityPrivilege	4432	WMIC.exe
Token: SeTakeOwnershipPrivilege	4432	WMIC.exe
Token: SeLoadDriverPrivilege	4432	WMIC.exe
Token: SeSystemProfilePrivilege	4432	WMIC.exe
Token: SeSystemtimePrivilege	4432	WMIC.exe
Token: SeProfSingleProcessPrivilege	4432	WMIC.exe
Token: SeIncBasePriorityPrivilege	4432	WMIC.exe
Token: SeCreatePagefilePrivilege	4432	WMIC.exe
Token: SeBackupPrivilege	4432	WMIC.exe
Token: SeRestorePrivilege	4432	WMIC.exe
Token: SeShutdownPrivilege	4432	WMIC.exe
Token: SeDebugPrivilege	4432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4432	WMIC.exe
Token: SeRemoteShutdownPrivilege	4432	WMIC.exe
Token: SeUndockPrivilege	4432	WMIC.exe
Token: SeManageVolumePrivilege	4432	WMIC.exe
Token: 33	4432	WMIC.exe
Token: 34	4432	WMIC.exe
Token: 35	4432	WMIC.exe
Token: 36	4432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4432	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 5008	1788	77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe	73
PID 1788 wrote to memory of 5008	1788	77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe	73
PID 1788 wrote to memory of 5008	1788	77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe	73
PID 1788 wrote to memory of 3116	1788	77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe	78
PID 1788 wrote to memory of 3116	1788	77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe	78
PID 1788 wrote to memory of 3116	1788	77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe	78
PID 3116 wrote to memory of 4432	3116	cmd.exe	80
PID 3116 wrote to memory of 4432	3116	cmd.exe	80
PID 3116 wrote to memory of 4432	3116	cmd.exe	80
PID 1788 wrote to memory of 4684	1788	77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe	81
PID 1788 wrote to memory of 4684	1788	77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe	81
PID 1788 wrote to memory of 4684	1788	77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe	81
PID 4684 wrote to memory of 4552	4684	cmd.exe	83
PID 4684 wrote to memory of 4552	4684	cmd.exe	83
PID 4684 wrote to memory of 4552	4684	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe
"C:\Users\Admin\AppData\Local\Temp\77f2bd36a66cc73e4dd05324ae031fe9ee54a0a06174581cd5268d91f3c19c49.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 524
  2⤵
  - Program crash
  PID:3032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 496
  2⤵
  - Program crash
  PID:4540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 556
  2⤵
  - Program crash
  PID:4640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 600
  2⤵
  - Program crash
  PID:4816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 740
  2⤵
  - Program crash
  PID:2768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 860
  2⤵
  - Program crash
  PID:3244
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1324
  2⤵
  - Program crash
  PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1360
  2⤵
  - Program crash
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 276
  2⤵
  - Program crash
  PID:300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1788-153-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-154-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-119-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-120-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-121-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-122-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-123-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-124-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-125-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-155-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-127-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-128-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-129-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-130-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-131-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-132-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-133-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-134-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-135-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-136-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-137-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-138-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-139-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-140-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-141-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-142-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-143-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-144-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-145-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-146-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-147-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-148-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-149-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-150-0x00000000030F0000-0x0000000003537000-memory.dmp

Filesize
4.3MB

Download
memory/1788-151-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1788-152-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-118-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-117-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-126-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-156-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-157-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-158-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-159-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-160-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-161-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-162-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-163-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-164-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-165-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-166-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/1788-191-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1788-382-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/5008-169-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-177-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-170-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-171-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-175-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-168-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-174-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-172-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-176-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-173-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-178-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-179-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-180-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-181-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-182-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/5008-183-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download