c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356

Analysis

max time kernel
52s
max time network
60s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
05-10-2022 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe
Size

4.7MB
MD5

1ce60bdb282d6bc31a3b498fd23a4176
SHA1

e23d82d3216c905381db12d3e94b03b0fee7a67a
SHA256

c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356
SHA512

e9fa7e6249695d2fe2741fc3c4256a011218020ff09a002778d89c5e3c5c789787598ddb733cb6b2e88438a66b1e5ba75d7f697a21c0ef6216adbed7dc314b39
SSDEEP

98304:m2hxpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7:mQbFmS3VjVEOeTtJHbdnrz7

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 10 IoCs

pid	pid_target	Process	procid_target
3476	2732	WerFault.exe	65
3552	2732	WerFault.exe	65
4304	2732	WerFault.exe	65
4336	2732	WerFault.exe	65
4896	2732	WerFault.exe	65
2176	2732	WerFault.exe	65
4380	2732	WerFault.exe	65
4248	2732	WerFault.exe	65
4260	2732	WerFault.exe	65
3268	2732	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3036	wmic.exe
Token: SeSecurityPrivilege	3036	wmic.exe
Token: SeTakeOwnershipPrivilege	3036	wmic.exe
Token: SeLoadDriverPrivilege	3036	wmic.exe
Token: SeSystemProfilePrivilege	3036	wmic.exe
Token: SeSystemtimePrivilege	3036	wmic.exe
Token: SeProfSingleProcessPrivilege	3036	wmic.exe
Token: SeIncBasePriorityPrivilege	3036	wmic.exe
Token: SeCreatePagefilePrivilege	3036	wmic.exe
Token: SeBackupPrivilege	3036	wmic.exe
Token: SeRestorePrivilege	3036	wmic.exe
Token: SeShutdownPrivilege	3036	wmic.exe
Token: SeDebugPrivilege	3036	wmic.exe
Token: SeSystemEnvironmentPrivilege	3036	wmic.exe
Token: SeRemoteShutdownPrivilege	3036	wmic.exe
Token: SeUndockPrivilege	3036	wmic.exe
Token: SeManageVolumePrivilege	3036	wmic.exe
Token: 33	3036	wmic.exe
Token: 34	3036	wmic.exe
Token: 35	3036	wmic.exe
Token: 36	3036	wmic.exe
Token: SeIncreaseQuotaPrivilege	3036	wmic.exe
Token: SeSecurityPrivilege	3036	wmic.exe
Token: SeTakeOwnershipPrivilege	3036	wmic.exe
Token: SeLoadDriverPrivilege	3036	wmic.exe
Token: SeSystemProfilePrivilege	3036	wmic.exe
Token: SeSystemtimePrivilege	3036	wmic.exe
Token: SeProfSingleProcessPrivilege	3036	wmic.exe
Token: SeIncBasePriorityPrivilege	3036	wmic.exe
Token: SeCreatePagefilePrivilege	3036	wmic.exe
Token: SeBackupPrivilege	3036	wmic.exe
Token: SeRestorePrivilege	3036	wmic.exe
Token: SeShutdownPrivilege	3036	wmic.exe
Token: SeDebugPrivilege	3036	wmic.exe
Token: SeSystemEnvironmentPrivilege	3036	wmic.exe
Token: SeRemoteShutdownPrivilege	3036	wmic.exe
Token: SeUndockPrivilege	3036	wmic.exe
Token: SeManageVolumePrivilege	3036	wmic.exe
Token: 33	3036	wmic.exe
Token: 34	3036	wmic.exe
Token: 35	3036	wmic.exe
Token: 36	3036	wmic.exe
Token: SeIncreaseQuotaPrivilege	4616	WMIC.exe
Token: SeSecurityPrivilege	4616	WMIC.exe
Token: SeTakeOwnershipPrivilege	4616	WMIC.exe
Token: SeLoadDriverPrivilege	4616	WMIC.exe
Token: SeSystemProfilePrivilege	4616	WMIC.exe
Token: SeSystemtimePrivilege	4616	WMIC.exe
Token: SeProfSingleProcessPrivilege	4616	WMIC.exe
Token: SeIncBasePriorityPrivilege	4616	WMIC.exe
Token: SeCreatePagefilePrivilege	4616	WMIC.exe
Token: SeBackupPrivilege	4616	WMIC.exe
Token: SeRestorePrivilege	4616	WMIC.exe
Token: SeShutdownPrivilege	4616	WMIC.exe
Token: SeDebugPrivilege	4616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4616	WMIC.exe
Token: SeRemoteShutdownPrivilege	4616	WMIC.exe
Token: SeUndockPrivilege	4616	WMIC.exe
Token: SeManageVolumePrivilege	4616	WMIC.exe
Token: 33	4616	WMIC.exe
Token: 34	4616	WMIC.exe
Token: 35	4616	WMIC.exe
Token: 36	4616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4616	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 3036	2732	c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe	73
PID 2732 wrote to memory of 3036	2732	c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe	73
PID 2732 wrote to memory of 3036	2732	c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe	73
PID 2732 wrote to memory of 4484	2732	c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe	79
PID 2732 wrote to memory of 4484	2732	c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe	79
PID 2732 wrote to memory of 4484	2732	c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe	79
PID 4484 wrote to memory of 4616	4484	cmd.exe	81
PID 4484 wrote to memory of 4616	4484	cmd.exe	81
PID 4484 wrote to memory of 4616	4484	cmd.exe	81
PID 2732 wrote to memory of 4732	2732	c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe	82
PID 2732 wrote to memory of 4732	2732	c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe	82
PID 2732 wrote to memory of 4732	2732	c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe	82
PID 4732 wrote to memory of 4436	4732	cmd.exe	84
PID 4732 wrote to memory of 4436	4732	cmd.exe	84
PID 4732 wrote to memory of 4436	4732	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe
"C:\Users\Admin\AppData\Local\Temp\c97255945262b84ab9b376f56b29cc544823885216137434b3aab8a110da1356.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 524
  2⤵
  - Program crash
  PID:3476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 500
  2⤵
  - Program crash
  PID:3552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 568
  2⤵
  - Program crash
  PID:4304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 584
  2⤵
  - Program crash
  PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 756
  2⤵
  - Program crash
  PID:4896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 852
  2⤵
  - Program crash
  PID:2176
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1300
  2⤵
  - Program crash
  PID:4380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1316
  2⤵
  - Program crash
  PID:4248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1372
  2⤵
  - Program crash
  PID:4260
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 312
  2⤵
  - Program crash
  PID:3268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-120-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-121-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-122-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-123-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-124-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-125-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-126-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-127-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-128-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-129-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-130-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-131-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-132-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-133-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-134-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-135-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-136-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-137-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-138-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-139-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-140-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-141-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-142-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-143-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-144-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-145-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-146-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-147-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-148-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-149-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-150-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-151-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-152-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-153-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-154-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-155-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-156-0x00000000030A0000-0x00000000034E7000-memory.dmp

Filesize
4.3MB

Download
memory/2732-157-0x0000000000400000-0x00000000008BC000-memory.dmp

Filesize
4.7MB

Download
memory/2732-158-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-159-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-160-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-161-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-162-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-163-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-164-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-165-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-166-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-167-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-168-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-169-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-384-0x0000000000400000-0x00000000008BC000-memory.dmp

Filesize
4.7MB

Download
memory/2732-385-0x0000000000400000-0x00000000008BC000-memory.dmp

Filesize
4.7MB

Download
memory/3036-171-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-172-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-173-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-174-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-175-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-176-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-177-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-178-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-179-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-180-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-181-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-182-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-183-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-184-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-185-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/3036-186-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download