4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66

Analysis

max time kernel
52s
max time network
72s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
08-10-2022 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe
Size

4.7MB
MD5

fc0439d966a2be85aab372192739cff1
SHA1

9f613e3eb13d3141b61f26b62c18bba07608b53f
SHA256

4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66
SHA512

38880be983870640fc00a009f6f8c34ed711979cc0b37f6ef57a8002506ca34f8482528aa0f8d7f2c56b8391fa4ffd51109c060fe6ee5f8e77e1d72cb1f36916
SSDEEP

98304:1W7IqpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7i:1WnbFmS3VjVEOeTtJHbdnrz7

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4796	3176	WerFault.exe	65
4856	3176	WerFault.exe	65
4884	3176	WerFault.exe	65
4244	3176	WerFault.exe	65
3360	3176	WerFault.exe	65
2200	3176	WerFault.exe	65
4848	3176	WerFault.exe	65
3424	3176	WerFault.exe	65
4312	3176	WerFault.exe	65
4900	3176	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2928	wmic.exe
Token: SeSecurityPrivilege	2928	wmic.exe
Token: SeTakeOwnershipPrivilege	2928	wmic.exe
Token: SeLoadDriverPrivilege	2928	wmic.exe
Token: SeSystemProfilePrivilege	2928	wmic.exe
Token: SeSystemtimePrivilege	2928	wmic.exe
Token: SeProfSingleProcessPrivilege	2928	wmic.exe
Token: SeIncBasePriorityPrivilege	2928	wmic.exe
Token: SeCreatePagefilePrivilege	2928	wmic.exe
Token: SeBackupPrivilege	2928	wmic.exe
Token: SeRestorePrivilege	2928	wmic.exe
Token: SeShutdownPrivilege	2928	wmic.exe
Token: SeDebugPrivilege	2928	wmic.exe
Token: SeSystemEnvironmentPrivilege	2928	wmic.exe
Token: SeRemoteShutdownPrivilege	2928	wmic.exe
Token: SeUndockPrivilege	2928	wmic.exe
Token: SeManageVolumePrivilege	2928	wmic.exe
Token: 33	2928	wmic.exe
Token: 34	2928	wmic.exe
Token: 35	2928	wmic.exe
Token: 36	2928	wmic.exe
Token: SeIncreaseQuotaPrivilege	2928	wmic.exe
Token: SeSecurityPrivilege	2928	wmic.exe
Token: SeTakeOwnershipPrivilege	2928	wmic.exe
Token: SeLoadDriverPrivilege	2928	wmic.exe
Token: SeSystemProfilePrivilege	2928	wmic.exe
Token: SeSystemtimePrivilege	2928	wmic.exe
Token: SeProfSingleProcessPrivilege	2928	wmic.exe
Token: SeIncBasePriorityPrivilege	2928	wmic.exe
Token: SeCreatePagefilePrivilege	2928	wmic.exe
Token: SeBackupPrivilege	2928	wmic.exe
Token: SeRestorePrivilege	2928	wmic.exe
Token: SeShutdownPrivilege	2928	wmic.exe
Token: SeDebugPrivilege	2928	wmic.exe
Token: SeSystemEnvironmentPrivilege	2928	wmic.exe
Token: SeRemoteShutdownPrivilege	2928	wmic.exe
Token: SeUndockPrivilege	2928	wmic.exe
Token: SeManageVolumePrivilege	2928	wmic.exe
Token: 33	2928	wmic.exe
Token: 34	2928	wmic.exe
Token: 35	2928	wmic.exe
Token: 36	2928	wmic.exe
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe
Token: SeSecurityPrivilege	2496	WMIC.exe
Token: SeTakeOwnershipPrivilege	2496	WMIC.exe
Token: SeLoadDriverPrivilege	2496	WMIC.exe
Token: SeSystemProfilePrivilege	2496	WMIC.exe
Token: SeSystemtimePrivilege	2496	WMIC.exe
Token: SeProfSingleProcessPrivilege	2496	WMIC.exe
Token: SeIncBasePriorityPrivilege	2496	WMIC.exe
Token: SeCreatePagefilePrivilege	2496	WMIC.exe
Token: SeBackupPrivilege	2496	WMIC.exe
Token: SeRestorePrivilege	2496	WMIC.exe
Token: SeShutdownPrivilege	2496	WMIC.exe
Token: SeDebugPrivilege	2496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2496	WMIC.exe
Token: SeRemoteShutdownPrivilege	2496	WMIC.exe
Token: SeUndockPrivilege	2496	WMIC.exe
Token: SeManageVolumePrivilege	2496	WMIC.exe
Token: 33	2496	WMIC.exe
Token: 34	2496	WMIC.exe
Token: 35	2496	WMIC.exe
Token: 36	2496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 2928	3176	4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe	73
PID 3176 wrote to memory of 2928	3176	4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe	73
PID 3176 wrote to memory of 2928	3176	4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe	73
PID 3176 wrote to memory of 3152	3176	4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe	79
PID 3176 wrote to memory of 3152	3176	4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe	79
PID 3176 wrote to memory of 3152	3176	4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe	79
PID 3152 wrote to memory of 2496	3152	cmd.exe	81
PID 3152 wrote to memory of 2496	3152	cmd.exe	81
PID 3152 wrote to memory of 2496	3152	cmd.exe	81
PID 3176 wrote to memory of 4532	3176	4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe	82
PID 3176 wrote to memory of 4532	3176	4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe	82
PID 3176 wrote to memory of 4532	3176	4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe	82
PID 4532 wrote to memory of 4696	4532	cmd.exe	84
PID 4532 wrote to memory of 4696	4532	cmd.exe	84
PID 4532 wrote to memory of 4696	4532	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe
"C:\Users\Admin\AppData\Local\Temp\4223ac34d100ee3f5129e7094984202e005b2aec1f72580296af182a60c72a66.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 524
  2⤵
  - Program crash
  PID:4796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 540
  2⤵
  - Program crash
  PID:4856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 488
  2⤵
  - Program crash
  PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 620
  2⤵
  - Program crash
  PID:4244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 728
  2⤵
  - Program crash
  PID:3360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 868
  2⤵
  - Program crash
  PID:2200
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 1308
  2⤵
  - Program crash
  PID:4848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 1324
  2⤵
  - Program crash
  PID:3424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 1376
  2⤵
  - Program crash
  PID:4312
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 312
  2⤵
  - Program crash
  PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2928-176-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-181-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-174-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-173-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-179-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-178-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-177-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-166-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-175-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-180-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-172-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-171-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-170-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-169-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-168-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2928-167-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-134-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-161-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-137-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-138-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-131-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-139-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-140-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-141-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-142-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-143-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-144-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-145-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-146-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-147-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-148-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-149-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-150-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-151-0x00000000030F0000-0x0000000003537000-memory.dmp

Filesize
4.3MB

Download
memory/3176-152-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/3176-153-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-154-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-155-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-156-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-157-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-158-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-159-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-160-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-136-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-162-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-163-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-164-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-135-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-115-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-133-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-132-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-130-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-129-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-128-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-127-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-126-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-125-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-124-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-123-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-122-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-121-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-120-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-119-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-118-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-117-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-116-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3176-379-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download