42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0

Analysis

max time kernel
60s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2022, 09:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe
Size

5.8MB
MD5

f554af5bc9c6abc6f942dc989bd63f9e
SHA1

233869f3af64239d1a0540d6d5e5798cae69f7dd
SHA256

42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0
SHA512

3019ea71602c54367da569c620994a55ccba3869e49eda28ed98261c6b3ed3ebed36d8bc284f87e8ad0c2ed3a10b754665fdde3518254ac9a0116a4a98fb9c28
SSDEEP

49152:qnV9xa+Fe6iRyhJ3jkqQVSfWVXqASv1x1dKO/5t7WGiocfGJDcjQcy20RHrzKgiR:qnV9xGSjL+EnHOMz5ysZA5+bf6c

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4304	4116	WerFault.exe	80
5068	4116	WerFault.exe	80
5052	4116	WerFault.exe	80
3872	4116	WerFault.exe	80
2072	4116	WerFault.exe	80
4036	4116	WerFault.exe	80
4424	4116	WerFault.exe	80
2880	4116	WerFault.exe	80
1700	4116	WerFault.exe	80

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1752	wmic.exe
Token: SeSecurityPrivilege	1752	wmic.exe
Token: SeTakeOwnershipPrivilege	1752	wmic.exe
Token: SeLoadDriverPrivilege	1752	wmic.exe
Token: SeSystemProfilePrivilege	1752	wmic.exe
Token: SeSystemtimePrivilege	1752	wmic.exe
Token: SeProfSingleProcessPrivilege	1752	wmic.exe
Token: SeIncBasePriorityPrivilege	1752	wmic.exe
Token: SeCreatePagefilePrivilege	1752	wmic.exe
Token: SeBackupPrivilege	1752	wmic.exe
Token: SeRestorePrivilege	1752	wmic.exe
Token: SeShutdownPrivilege	1752	wmic.exe
Token: SeDebugPrivilege	1752	wmic.exe
Token: SeSystemEnvironmentPrivilege	1752	wmic.exe
Token: SeRemoteShutdownPrivilege	1752	wmic.exe
Token: SeUndockPrivilege	1752	wmic.exe
Token: SeManageVolumePrivilege	1752	wmic.exe
Token: 33	1752	wmic.exe
Token: 34	1752	wmic.exe
Token: 35	1752	wmic.exe
Token: 36	1752	wmic.exe
Token: SeIncreaseQuotaPrivilege	1752	wmic.exe
Token: SeSecurityPrivilege	1752	wmic.exe
Token: SeTakeOwnershipPrivilege	1752	wmic.exe
Token: SeLoadDriverPrivilege	1752	wmic.exe
Token: SeSystemProfilePrivilege	1752	wmic.exe
Token: SeSystemtimePrivilege	1752	wmic.exe
Token: SeProfSingleProcessPrivilege	1752	wmic.exe
Token: SeIncBasePriorityPrivilege	1752	wmic.exe
Token: SeCreatePagefilePrivilege	1752	wmic.exe
Token: SeBackupPrivilege	1752	wmic.exe
Token: SeRestorePrivilege	1752	wmic.exe
Token: SeShutdownPrivilege	1752	wmic.exe
Token: SeDebugPrivilege	1752	wmic.exe
Token: SeSystemEnvironmentPrivilege	1752	wmic.exe
Token: SeRemoteShutdownPrivilege	1752	wmic.exe
Token: SeUndockPrivilege	1752	wmic.exe
Token: SeManageVolumePrivilege	1752	wmic.exe
Token: 33	1752	wmic.exe
Token: 34	1752	wmic.exe
Token: 35	1752	wmic.exe
Token: 36	1752	wmic.exe
Token: SeIncreaseQuotaPrivilege	3136	WMIC.exe
Token: SeSecurityPrivilege	3136	WMIC.exe
Token: SeTakeOwnershipPrivilege	3136	WMIC.exe
Token: SeLoadDriverPrivilege	3136	WMIC.exe
Token: SeSystemProfilePrivilege	3136	WMIC.exe
Token: SeSystemtimePrivilege	3136	WMIC.exe
Token: SeProfSingleProcessPrivilege	3136	WMIC.exe
Token: SeIncBasePriorityPrivilege	3136	WMIC.exe
Token: SeCreatePagefilePrivilege	3136	WMIC.exe
Token: SeBackupPrivilege	3136	WMIC.exe
Token: SeRestorePrivilege	3136	WMIC.exe
Token: SeShutdownPrivilege	3136	WMIC.exe
Token: SeDebugPrivilege	3136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3136	WMIC.exe
Token: SeRemoteShutdownPrivilege	3136	WMIC.exe
Token: SeUndockPrivilege	3136	WMIC.exe
Token: SeManageVolumePrivilege	3136	WMIC.exe
Token: 33	3136	WMIC.exe
Token: 34	3136	WMIC.exe
Token: 35	3136	WMIC.exe
Token: 36	3136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3136	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 1752	4116	42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe	99
PID 4116 wrote to memory of 1752	4116	42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe	99
PID 4116 wrote to memory of 1752	4116	42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe	99
PID 4116 wrote to memory of 3316	4116	42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe	105
PID 4116 wrote to memory of 3316	4116	42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe	105
PID 4116 wrote to memory of 3316	4116	42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe	105
PID 3316 wrote to memory of 3136	3316	cmd.exe	107
PID 3316 wrote to memory of 3136	3316	cmd.exe	107
PID 3316 wrote to memory of 3136	3316	cmd.exe	107
PID 4116 wrote to memory of 3804	4116	42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe	108
PID 4116 wrote to memory of 3804	4116	42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe	108
PID 4116 wrote to memory of 3804	4116	42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe	108
PID 3804 wrote to memory of 3668	3804	cmd.exe	110
PID 3804 wrote to memory of 3668	3804	cmd.exe	110
PID 3804 wrote to memory of 3668	3804	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe
"C:\Users\Admin\AppData\Local\Temp\42a4d913ed1b16c617135168293607507c8ff88515ac5cfda91061e01ce7fab0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 560
  2⤵
  - Program crash
  PID:4304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 564
  2⤵
  - Program crash
  PID:5068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 564
  2⤵
  - Program crash
  PID:5052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 640
  2⤵
  - Program crash
  PID:3872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 812
  2⤵
  - Program crash
  PID:2072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 868
  2⤵
  - Program crash
  PID:4036
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 864
  2⤵
  - Program crash
  PID:4424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1292
  2⤵
  - Program crash
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:3668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 140
  2⤵
  - Program crash
  PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4116 -ip 4116
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4116 -ip 4116
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4116 -ip 4116
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4116 -ip 4116
1⤵
PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4116 -ip 4116
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4116 -ip 4116
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4116 -ip 4116
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4116 -ip 4116
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4116 -ip 4116
1⤵
PID:5076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4116-132-0x00000000032B0000-0x00000000037CF000-memory.dmp

Filesize
5.1MB

Download
memory/4116-133-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download
memory/4116-139-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download