b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c

Analysis

max time kernel
79s
max time network
84s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
11/10/2022, 14:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe
Size

5.6MB
MD5

150374e04eed6b787c7dc7c2f3b19630
SHA1

547256083f5c646c5274ce8b042c46e48d2214f8
SHA256

b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c
SHA512

60406d33897c9a5e4a86a549b24aa07183182d5bae811c2ff321047df38870da77f50dd0171bd5ba1b45aefff6fd0c71535664a36470e370f436005478571fef
SSDEEP

49152:RIEXqFe6iRyhJ3jkqQVSfWVXqASv1x1dKO/5t7WGiocfGJDcjQcy20RHrzKgi1ao:RIENSjL+EnHOMz5ysZA5+bf6c

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4328	wmic.exe
Token: SeSecurityPrivilege	4328	wmic.exe
Token: SeTakeOwnershipPrivilege	4328	wmic.exe
Token: SeLoadDriverPrivilege	4328	wmic.exe
Token: SeSystemProfilePrivilege	4328	wmic.exe
Token: SeSystemtimePrivilege	4328	wmic.exe
Token: SeProfSingleProcessPrivilege	4328	wmic.exe
Token: SeIncBasePriorityPrivilege	4328	wmic.exe
Token: SeCreatePagefilePrivilege	4328	wmic.exe
Token: SeBackupPrivilege	4328	wmic.exe
Token: SeRestorePrivilege	4328	wmic.exe
Token: SeShutdownPrivilege	4328	wmic.exe
Token: SeDebugPrivilege	4328	wmic.exe
Token: SeSystemEnvironmentPrivilege	4328	wmic.exe
Token: SeRemoteShutdownPrivilege	4328	wmic.exe
Token: SeUndockPrivilege	4328	wmic.exe
Token: SeManageVolumePrivilege	4328	wmic.exe
Token: 33	4328	wmic.exe
Token: 34	4328	wmic.exe
Token: 35	4328	wmic.exe
Token: 36	4328	wmic.exe
Token: SeIncreaseQuotaPrivilege	4328	wmic.exe
Token: SeSecurityPrivilege	4328	wmic.exe
Token: SeTakeOwnershipPrivilege	4328	wmic.exe
Token: SeLoadDriverPrivilege	4328	wmic.exe
Token: SeSystemProfilePrivilege	4328	wmic.exe
Token: SeSystemtimePrivilege	4328	wmic.exe
Token: SeProfSingleProcessPrivilege	4328	wmic.exe
Token: SeIncBasePriorityPrivilege	4328	wmic.exe
Token: SeCreatePagefilePrivilege	4328	wmic.exe
Token: SeBackupPrivilege	4328	wmic.exe
Token: SeRestorePrivilege	4328	wmic.exe
Token: SeShutdownPrivilege	4328	wmic.exe
Token: SeDebugPrivilege	4328	wmic.exe
Token: SeSystemEnvironmentPrivilege	4328	wmic.exe
Token: SeRemoteShutdownPrivilege	4328	wmic.exe
Token: SeUndockPrivilege	4328	wmic.exe
Token: SeManageVolumePrivilege	4328	wmic.exe
Token: 33	4328	wmic.exe
Token: 34	4328	wmic.exe
Token: 35	4328	wmic.exe
Token: 36	4328	wmic.exe
Token: SeIncreaseQuotaPrivilege	4796	WMIC.exe
Token: SeSecurityPrivilege	4796	WMIC.exe
Token: SeTakeOwnershipPrivilege	4796	WMIC.exe
Token: SeLoadDriverPrivilege	4796	WMIC.exe
Token: SeSystemProfilePrivilege	4796	WMIC.exe
Token: SeSystemtimePrivilege	4796	WMIC.exe
Token: SeProfSingleProcessPrivilege	4796	WMIC.exe
Token: SeIncBasePriorityPrivilege	4796	WMIC.exe
Token: SeCreatePagefilePrivilege	4796	WMIC.exe
Token: SeBackupPrivilege	4796	WMIC.exe
Token: SeRestorePrivilege	4796	WMIC.exe
Token: SeShutdownPrivilege	4796	WMIC.exe
Token: SeDebugPrivilege	4796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4796	WMIC.exe
Token: SeRemoteShutdownPrivilege	4796	WMIC.exe
Token: SeUndockPrivilege	4796	WMIC.exe
Token: SeManageVolumePrivilege	4796	WMIC.exe
Token: 33	4796	WMIC.exe
Token: 34	4796	WMIC.exe
Token: 35	4796	WMIC.exe
Token: 36	4796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4796	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 4328	2176	b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe	66
PID 2176 wrote to memory of 4328	2176	b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe	66
PID 2176 wrote to memory of 4328	2176	b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe	66
PID 2176 wrote to memory of 4752	2176	b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe	69
PID 2176 wrote to memory of 4752	2176	b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe	69
PID 2176 wrote to memory of 4752	2176	b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe	69
PID 4752 wrote to memory of 4796	4752	cmd.exe	71
PID 4752 wrote to memory of 4796	4752	cmd.exe	71
PID 4752 wrote to memory of 4796	4752	cmd.exe	71
PID 2176 wrote to memory of 4484	2176	b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe	72
PID 2176 wrote to memory of 4484	2176	b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe	72
PID 2176 wrote to memory of 4484	2176	b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe	72
PID 4484 wrote to memory of 4808	4484	cmd.exe	74
PID 4484 wrote to memory of 4808	4484	cmd.exe	74
PID 4484 wrote to memory of 4808	4484	cmd.exe	74

C:\Users\Admin\AppData\Local\Temp\b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe
"C:\Users\Admin\AppData\Local\Temp\b2e342aa5f2c252aac742eb2164bd089d358bea8116f524a6190b5c8841cf73c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2176-120-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-121-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-122-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-123-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-124-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-125-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-126-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-127-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-129-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-128-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-130-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-131-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-132-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-133-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-134-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-135-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-136-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-137-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-138-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-140-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-139-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-141-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-142-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-143-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-144-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-145-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-146-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-147-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-148-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-149-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-151-0x00000000034F0000-0x0000000003A0F000-memory.dmp

Filesize
5.1MB

Download
memory/2176-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-152-0x0000000000400000-0x00000000009A1000-memory.dmp

Filesize
5.6MB

Download
memory/2176-153-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-154-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-155-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-156-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-157-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-158-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-159-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-160-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-161-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-162-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-163-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-164-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-165-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-167-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-166-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-168-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-169-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-194-0x0000000000400000-0x00000000009A1000-memory.dmp

Filesize
5.6MB

Download
memory/2176-385-0x0000000000400000-0x00000000009A1000-memory.dmp

Filesize
5.6MB

Download
memory/4328-171-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-172-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-173-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-174-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-175-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-176-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-177-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-178-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-179-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-180-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-181-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-182-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-183-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-184-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-185-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-186-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download