1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe

Analysis

max time kernel
91s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2022, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe
Size

4.7MB
MD5

d0e8bcab53a6560a47ec7023e81678aa
SHA1

761567e513b36270d64cbc7857321f1993b967dc
SHA256

1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe
SHA512

425d95a71ad1e8614635a444f8d0aa0db52faebc526cac756513277fb28e35d89bdd2664023e7ac2590a7c5213dba2d00bc05fa83ef0a5d07694f0f12bf79f7e
SSDEEP

98304:06BpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7:06bFmS3VjVEOeTtJHbdnrz7

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1484	2140	WerFault.exe	81
4984	2140	WerFault.exe	81
3480	2140	WerFault.exe	81
3628	2140	WerFault.exe	81
1312	2140	WerFault.exe	81
4244	2140	WerFault.exe	81
1404	2140	WerFault.exe	81
3780	2140	WerFault.exe	81
2536	2140	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2956	wmic.exe
Token: SeSecurityPrivilege	2956	wmic.exe
Token: SeTakeOwnershipPrivilege	2956	wmic.exe
Token: SeLoadDriverPrivilege	2956	wmic.exe
Token: SeSystemProfilePrivilege	2956	wmic.exe
Token: SeSystemtimePrivilege	2956	wmic.exe
Token: SeProfSingleProcessPrivilege	2956	wmic.exe
Token: SeIncBasePriorityPrivilege	2956	wmic.exe
Token: SeCreatePagefilePrivilege	2956	wmic.exe
Token: SeBackupPrivilege	2956	wmic.exe
Token: SeRestorePrivilege	2956	wmic.exe
Token: SeShutdownPrivilege	2956	wmic.exe
Token: SeDebugPrivilege	2956	wmic.exe
Token: SeSystemEnvironmentPrivilege	2956	wmic.exe
Token: SeRemoteShutdownPrivilege	2956	wmic.exe
Token: SeUndockPrivilege	2956	wmic.exe
Token: SeManageVolumePrivilege	2956	wmic.exe
Token: 33	2956	wmic.exe
Token: 34	2956	wmic.exe
Token: 35	2956	wmic.exe
Token: 36	2956	wmic.exe
Token: SeIncreaseQuotaPrivilege	2956	wmic.exe
Token: SeSecurityPrivilege	2956	wmic.exe
Token: SeTakeOwnershipPrivilege	2956	wmic.exe
Token: SeLoadDriverPrivilege	2956	wmic.exe
Token: SeSystemProfilePrivilege	2956	wmic.exe
Token: SeSystemtimePrivilege	2956	wmic.exe
Token: SeProfSingleProcessPrivilege	2956	wmic.exe
Token: SeIncBasePriorityPrivilege	2956	wmic.exe
Token: SeCreatePagefilePrivilege	2956	wmic.exe
Token: SeBackupPrivilege	2956	wmic.exe
Token: SeRestorePrivilege	2956	wmic.exe
Token: SeShutdownPrivilege	2956	wmic.exe
Token: SeDebugPrivilege	2956	wmic.exe
Token: SeSystemEnvironmentPrivilege	2956	wmic.exe
Token: SeRemoteShutdownPrivilege	2956	wmic.exe
Token: SeUndockPrivilege	2956	wmic.exe
Token: SeManageVolumePrivilege	2956	wmic.exe
Token: 33	2956	wmic.exe
Token: 34	2956	wmic.exe
Token: 35	2956	wmic.exe
Token: 36	2956	wmic.exe
Token: SeIncreaseQuotaPrivilege	3496	WMIC.exe
Token: SeSecurityPrivilege	3496	WMIC.exe
Token: SeTakeOwnershipPrivilege	3496	WMIC.exe
Token: SeLoadDriverPrivilege	3496	WMIC.exe
Token: SeSystemProfilePrivilege	3496	WMIC.exe
Token: SeSystemtimePrivilege	3496	WMIC.exe
Token: SeProfSingleProcessPrivilege	3496	WMIC.exe
Token: SeIncBasePriorityPrivilege	3496	WMIC.exe
Token: SeCreatePagefilePrivilege	3496	WMIC.exe
Token: SeBackupPrivilege	3496	WMIC.exe
Token: SeRestorePrivilege	3496	WMIC.exe
Token: SeShutdownPrivilege	3496	WMIC.exe
Token: SeDebugPrivilege	3496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3496	WMIC.exe
Token: SeRemoteShutdownPrivilege	3496	WMIC.exe
Token: SeUndockPrivilege	3496	WMIC.exe
Token: SeManageVolumePrivilege	3496	WMIC.exe
Token: 33	3496	WMIC.exe
Token: 34	3496	WMIC.exe
Token: 35	3496	WMIC.exe
Token: 36	3496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3496	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2956	2140	1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe	95
PID 2140 wrote to memory of 2956	2140	1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe	95
PID 2140 wrote to memory of 2956	2140	1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe	95
PID 2140 wrote to memory of 3828	2140	1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe	101
PID 2140 wrote to memory of 3828	2140	1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe	101
PID 2140 wrote to memory of 3828	2140	1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe	101
PID 3828 wrote to memory of 3496	3828	cmd.exe	103
PID 3828 wrote to memory of 3496	3828	cmd.exe	103
PID 3828 wrote to memory of 3496	3828	cmd.exe	103
PID 2140 wrote to memory of 212	2140	1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe	104
PID 2140 wrote to memory of 212	2140	1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe	104
PID 2140 wrote to memory of 212	2140	1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe	104
PID 212 wrote to memory of 3956	212	cmd.exe	106
PID 212 wrote to memory of 3956	212	cmd.exe	106
PID 212 wrote to memory of 3956	212	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe
"C:\Users\Admin\AppData\Local\Temp\1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 544
  2⤵
  - Program crash
  PID:1484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 552
  2⤵
  - Program crash
  PID:4984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 556
  2⤵
  - Program crash
  PID:3480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 644
  2⤵
  - Program crash
  PID:3628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 760
  2⤵
  - Program crash
  PID:1312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 792
  2⤵
  - Program crash
  PID:4244
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 1296
  2⤵
  - Program crash
  PID:1404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 1352
  2⤵
  - Program crash
  PID:3780
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3496
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 140
  2⤵
  - Program crash
  PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2140 -ip 2140
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2140 -ip 2140
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2140 -ip 2140
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2140 -ip 2140
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2140 -ip 2140
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2140 -ip 2140
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2140 -ip 2140
1⤵
PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2140 -ip 2140
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2140 -ip 2140
1⤵
PID:4220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-132-0x0000000003140000-0x0000000003587000-memory.dmp

Filesize
4.3MB

Download
memory/2140-133-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2140-139-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download