a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f

Analysis

max time kernel
134s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2022, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe
Size

5.3MB
MD5

20cf0c8209a03bb940b22fec7785203d
SHA1

1baa199f25b1e75136ef372d437b28a34789e11a
SHA256

a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f
SHA512

32548d06653778b1c5a74fa33cf3b26595baf22911f8ea74e6aa481a37d26bea2f000716444807a3a4a2e915e399b99cb71537c74884c00c7adc341a7bc8ad13
SSDEEP

98304:ByIwfYjszpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7W:BaEszbFmS3VjVEOeTtJHbdnrz7

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4884	4532	WerFault.exe	81
2732	4532	WerFault.exe	81
3500	4532	WerFault.exe	81
1564	4532	WerFault.exe	81
3140	4532	WerFault.exe	81
2008	4532	WerFault.exe	81
4712	4532	WerFault.exe	81
5012	4532	WerFault.exe	81
4208	4532	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4476	wmic.exe
Token: SeSecurityPrivilege	4476	wmic.exe
Token: SeTakeOwnershipPrivilege	4476	wmic.exe
Token: SeLoadDriverPrivilege	4476	wmic.exe
Token: SeSystemProfilePrivilege	4476	wmic.exe
Token: SeSystemtimePrivilege	4476	wmic.exe
Token: SeProfSingleProcessPrivilege	4476	wmic.exe
Token: SeIncBasePriorityPrivilege	4476	wmic.exe
Token: SeCreatePagefilePrivilege	4476	wmic.exe
Token: SeBackupPrivilege	4476	wmic.exe
Token: SeRestorePrivilege	4476	wmic.exe
Token: SeShutdownPrivilege	4476	wmic.exe
Token: SeDebugPrivilege	4476	wmic.exe
Token: SeSystemEnvironmentPrivilege	4476	wmic.exe
Token: SeRemoteShutdownPrivilege	4476	wmic.exe
Token: SeUndockPrivilege	4476	wmic.exe
Token: SeManageVolumePrivilege	4476	wmic.exe
Token: 33	4476	wmic.exe
Token: 34	4476	wmic.exe
Token: 35	4476	wmic.exe
Token: 36	4476	wmic.exe
Token: SeIncreaseQuotaPrivilege	4476	wmic.exe
Token: SeSecurityPrivilege	4476	wmic.exe
Token: SeTakeOwnershipPrivilege	4476	wmic.exe
Token: SeLoadDriverPrivilege	4476	wmic.exe
Token: SeSystemProfilePrivilege	4476	wmic.exe
Token: SeSystemtimePrivilege	4476	wmic.exe
Token: SeProfSingleProcessPrivilege	4476	wmic.exe
Token: SeIncBasePriorityPrivilege	4476	wmic.exe
Token: SeCreatePagefilePrivilege	4476	wmic.exe
Token: SeBackupPrivilege	4476	wmic.exe
Token: SeRestorePrivilege	4476	wmic.exe
Token: SeShutdownPrivilege	4476	wmic.exe
Token: SeDebugPrivilege	4476	wmic.exe
Token: SeSystemEnvironmentPrivilege	4476	wmic.exe
Token: SeRemoteShutdownPrivilege	4476	wmic.exe
Token: SeUndockPrivilege	4476	wmic.exe
Token: SeManageVolumePrivilege	4476	wmic.exe
Token: 33	4476	wmic.exe
Token: 34	4476	wmic.exe
Token: 35	4476	wmic.exe
Token: 36	4476	wmic.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe
Token: SeSecurityPrivilege	5004	WMIC.exe
Token: SeTakeOwnershipPrivilege	5004	WMIC.exe
Token: SeLoadDriverPrivilege	5004	WMIC.exe
Token: SeSystemProfilePrivilege	5004	WMIC.exe
Token: SeSystemtimePrivilege	5004	WMIC.exe
Token: SeProfSingleProcessPrivilege	5004	WMIC.exe
Token: SeIncBasePriorityPrivilege	5004	WMIC.exe
Token: SeCreatePagefilePrivilege	5004	WMIC.exe
Token: SeBackupPrivilege	5004	WMIC.exe
Token: SeRestorePrivilege	5004	WMIC.exe
Token: SeShutdownPrivilege	5004	WMIC.exe
Token: SeDebugPrivilege	5004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5004	WMIC.exe
Token: SeRemoteShutdownPrivilege	5004	WMIC.exe
Token: SeUndockPrivilege	5004	WMIC.exe
Token: SeManageVolumePrivilege	5004	WMIC.exe
Token: 33	5004	WMIC.exe
Token: 34	5004	WMIC.exe
Token: 35	5004	WMIC.exe
Token: 36	5004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4476	4532	a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe	103
PID 4532 wrote to memory of 4476	4532	a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe	103
PID 4532 wrote to memory of 4476	4532	a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe	103
PID 4532 wrote to memory of 2588	4532	a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe	107
PID 4532 wrote to memory of 2588	4532	a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe	107
PID 4532 wrote to memory of 2588	4532	a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe	107
PID 2588 wrote to memory of 5004	2588	cmd.exe	109
PID 2588 wrote to memory of 5004	2588	cmd.exe	109
PID 2588 wrote to memory of 5004	2588	cmd.exe	109
PID 4532 wrote to memory of 1104	4532	a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe	110
PID 4532 wrote to memory of 1104	4532	a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe	110
PID 4532 wrote to memory of 1104	4532	a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe	110
PID 1104 wrote to memory of 2792	1104	cmd.exe	112
PID 1104 wrote to memory of 2792	1104	cmd.exe	112
PID 1104 wrote to memory of 2792	1104	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe
"C:\Users\Admin\AppData\Local\Temp\a06e437ce4de1890ddd6339a0cfef007eb7a30726ce7b17eabce3b7d601ef18f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 568
  2⤵
  - Program crash
  PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 580
  2⤵
  - Program crash
  PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 484
  2⤵
  - Program crash
  PID:3500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 648
  2⤵
  - Program crash
  PID:1564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 684
  2⤵
  - Program crash
  PID:3140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 712
  2⤵
  - Program crash
  PID:2008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 896
  2⤵
  - Program crash
  PID:4712
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1340
  2⤵
  - Program crash
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:2792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 152
  2⤵
  - Program crash
  PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4532 -ip 4532
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4532 -ip 4532
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4532 -ip 4532
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4532 -ip 4532
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4532 -ip 4532
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4532 -ip 4532
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4532 -ip 4532
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4532 -ip 4532
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4532 -ip 4532
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4532-132-0x00000000030F0000-0x0000000003537000-memory.dmp

Filesize
4.3MB

Download
memory/4532-133-0x0000000000400000-0x0000000000959000-memory.dmp

Filesize
5.3MB

Download
memory/4532-139-0x0000000000400000-0x0000000000959000-memory.dmp

Filesize
5.3MB

Download