1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02

Analysis

max time kernel
93s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe
Size

5.8MB
MD5

0616fc637e8a7b1e1c7467e530b5681e
SHA1

cec97409e336742fed99ed26037c4948472e6598
SHA256

1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02
SHA512

4e92b4831874873d175bf12dd460131a516bf5ddf67d549c184294998dbecb19acf03d7a0a1121aa418092ca9c0237fc84b9cccb645a0ca3d35120b6b41776d2
SSDEEP

49152:qnV9xa9Fe6iRyhJ3jkqQVSfWVXqASv1x1dKO/5t7WGiocfGJDcjQcy20RHrzKgiR:qnV9xHSjL+EnHOMz5ysZA5+bf6c

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2148	4724	WerFault.exe	81
2416	4724	WerFault.exe	81
612	4724	WerFault.exe	81
3224	4724	WerFault.exe	81
3508	4724	WerFault.exe	81
536	4724	WerFault.exe	81
204	4724	WerFault.exe	81
988	4724	WerFault.exe	81
1892	4724	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2764	wmic.exe
Token: SeSecurityPrivilege	2764	wmic.exe
Token: SeTakeOwnershipPrivilege	2764	wmic.exe
Token: SeLoadDriverPrivilege	2764	wmic.exe
Token: SeSystemProfilePrivilege	2764	wmic.exe
Token: SeSystemtimePrivilege	2764	wmic.exe
Token: SeProfSingleProcessPrivilege	2764	wmic.exe
Token: SeIncBasePriorityPrivilege	2764	wmic.exe
Token: SeCreatePagefilePrivilege	2764	wmic.exe
Token: SeBackupPrivilege	2764	wmic.exe
Token: SeRestorePrivilege	2764	wmic.exe
Token: SeShutdownPrivilege	2764	wmic.exe
Token: SeDebugPrivilege	2764	wmic.exe
Token: SeSystemEnvironmentPrivilege	2764	wmic.exe
Token: SeRemoteShutdownPrivilege	2764	wmic.exe
Token: SeUndockPrivilege	2764	wmic.exe
Token: SeManageVolumePrivilege	2764	wmic.exe
Token: 33	2764	wmic.exe
Token: 34	2764	wmic.exe
Token: 35	2764	wmic.exe
Token: 36	2764	wmic.exe
Token: SeIncreaseQuotaPrivilege	2764	wmic.exe
Token: SeSecurityPrivilege	2764	wmic.exe
Token: SeTakeOwnershipPrivilege	2764	wmic.exe
Token: SeLoadDriverPrivilege	2764	wmic.exe
Token: SeSystemProfilePrivilege	2764	wmic.exe
Token: SeSystemtimePrivilege	2764	wmic.exe
Token: SeProfSingleProcessPrivilege	2764	wmic.exe
Token: SeIncBasePriorityPrivilege	2764	wmic.exe
Token: SeCreatePagefilePrivilege	2764	wmic.exe
Token: SeBackupPrivilege	2764	wmic.exe
Token: SeRestorePrivilege	2764	wmic.exe
Token: SeShutdownPrivilege	2764	wmic.exe
Token: SeDebugPrivilege	2764	wmic.exe
Token: SeSystemEnvironmentPrivilege	2764	wmic.exe
Token: SeRemoteShutdownPrivilege	2764	wmic.exe
Token: SeUndockPrivilege	2764	wmic.exe
Token: SeManageVolumePrivilege	2764	wmic.exe
Token: 33	2764	wmic.exe
Token: 34	2764	wmic.exe
Token: 35	2764	wmic.exe
Token: 36	2764	wmic.exe
Token: SeIncreaseQuotaPrivilege	4136	WMIC.exe
Token: SeSecurityPrivilege	4136	WMIC.exe
Token: SeTakeOwnershipPrivilege	4136	WMIC.exe
Token: SeLoadDriverPrivilege	4136	WMIC.exe
Token: SeSystemProfilePrivilege	4136	WMIC.exe
Token: SeSystemtimePrivilege	4136	WMIC.exe
Token: SeProfSingleProcessPrivilege	4136	WMIC.exe
Token: SeIncBasePriorityPrivilege	4136	WMIC.exe
Token: SeCreatePagefilePrivilege	4136	WMIC.exe
Token: SeBackupPrivilege	4136	WMIC.exe
Token: SeRestorePrivilege	4136	WMIC.exe
Token: SeShutdownPrivilege	4136	WMIC.exe
Token: SeDebugPrivilege	4136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4136	WMIC.exe
Token: SeRemoteShutdownPrivilege	4136	WMIC.exe
Token: SeUndockPrivilege	4136	WMIC.exe
Token: SeManageVolumePrivilege	4136	WMIC.exe
Token: 33	4136	WMIC.exe
Token: 34	4136	WMIC.exe
Token: 35	4136	WMIC.exe
Token: 36	4136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4136	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2764	4724	1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe	95
PID 4724 wrote to memory of 2764	4724	1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe	95
PID 4724 wrote to memory of 2764	4724	1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe	95
PID 4724 wrote to memory of 2868	4724	1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe	102
PID 4724 wrote to memory of 2868	4724	1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe	102
PID 4724 wrote to memory of 2868	4724	1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe	102
PID 2868 wrote to memory of 4136	2868	cmd.exe	104
PID 2868 wrote to memory of 4136	2868	cmd.exe	104
PID 2868 wrote to memory of 4136	2868	cmd.exe	104
PID 4724 wrote to memory of 1440	4724	1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe	105
PID 4724 wrote to memory of 1440	4724	1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe	105
PID 4724 wrote to memory of 1440	4724	1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe	105
PID 1440 wrote to memory of 4120	1440	cmd.exe	107
PID 1440 wrote to memory of 4120	1440	cmd.exe	107
PID 1440 wrote to memory of 4120	1440	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe
"C:\Users\Admin\AppData\Local\Temp\1ee98af7ce3a3da7366d618a5ca35b6e7fd8397f68e2ab672b5abd6250fa5a02.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 564
  2⤵
  - Program crash
  PID:2148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 584
  2⤵
  - Program crash
  PID:2416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 564
  2⤵
  - Program crash
  PID:612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 636
  2⤵
  - Program crash
  PID:3224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 820
  2⤵
  - Program crash
  PID:3508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 868
  2⤵
  - Program crash
  PID:536
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1320
  2⤵
  - Program crash
  PID:204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1368
  2⤵
  - Program crash
  PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 156
  2⤵
  - Program crash
  PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 4724
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4724 -ip 4724
1⤵
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4724 -ip 4724
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4724 -ip 4724
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4724 -ip 4724
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4724 -ip 4724
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4724 -ip 4724
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4724 -ip 4724
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4724 -ip 4724
1⤵
PID:4820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4724-132-0x00000000032F0000-0x000000000380F000-memory.dmp

Filesize
5.1MB

Download
memory/4724-133-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download
memory/4724-139-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download
memory/4724-140-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download