a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6

Analysis

max time kernel
91s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2022, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe
Size

5.8MB
MD5

db5983fea0a451794338069209ded126
SHA1

2811006ccbac09d438b879d4733cbb4d8993bab8
SHA256

a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6
SHA512

8889a751fc1a3dd1c04660b931597a664e6556589f6aa9dc2426310e839c222e2605030d90864ea80d3fcc74d1c9abd01ca2700975b64051ca63e0b8665091e4
SSDEEP

49152:qnV9xaPFe6iRyhJ3jkqQVSfWVXqASv1x1dKO/5t7WGiocfGJDcjQcy20RHrzKgiR:qnV9xJSjL+EnHOMz5ysZA5+bf6c

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 9 IoCs

pid	pid_target	Process	procid_target
892	3180	WerFault.exe	81
2624	3180	WerFault.exe	81
4340	3180	WerFault.exe	81
3536	3180	WerFault.exe	81
2892	3180	WerFault.exe	81
2936	3180	WerFault.exe	81
1104	3180	WerFault.exe	81
1136	3180	WerFault.exe	81
3076	3180	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1996	wmic.exe
Token: SeSecurityPrivilege	1996	wmic.exe
Token: SeTakeOwnershipPrivilege	1996	wmic.exe
Token: SeLoadDriverPrivilege	1996	wmic.exe
Token: SeSystemProfilePrivilege	1996	wmic.exe
Token: SeSystemtimePrivilege	1996	wmic.exe
Token: SeProfSingleProcessPrivilege	1996	wmic.exe
Token: SeIncBasePriorityPrivilege	1996	wmic.exe
Token: SeCreatePagefilePrivilege	1996	wmic.exe
Token: SeBackupPrivilege	1996	wmic.exe
Token: SeRestorePrivilege	1996	wmic.exe
Token: SeShutdownPrivilege	1996	wmic.exe
Token: SeDebugPrivilege	1996	wmic.exe
Token: SeSystemEnvironmentPrivilege	1996	wmic.exe
Token: SeRemoteShutdownPrivilege	1996	wmic.exe
Token: SeUndockPrivilege	1996	wmic.exe
Token: SeManageVolumePrivilege	1996	wmic.exe
Token: 33	1996	wmic.exe
Token: 34	1996	wmic.exe
Token: 35	1996	wmic.exe
Token: 36	1996	wmic.exe
Token: SeIncreaseQuotaPrivilege	1996	wmic.exe
Token: SeSecurityPrivilege	1996	wmic.exe
Token: SeTakeOwnershipPrivilege	1996	wmic.exe
Token: SeLoadDriverPrivilege	1996	wmic.exe
Token: SeSystemProfilePrivilege	1996	wmic.exe
Token: SeSystemtimePrivilege	1996	wmic.exe
Token: SeProfSingleProcessPrivilege	1996	wmic.exe
Token: SeIncBasePriorityPrivilege	1996	wmic.exe
Token: SeCreatePagefilePrivilege	1996	wmic.exe
Token: SeBackupPrivilege	1996	wmic.exe
Token: SeRestorePrivilege	1996	wmic.exe
Token: SeShutdownPrivilege	1996	wmic.exe
Token: SeDebugPrivilege	1996	wmic.exe
Token: SeSystemEnvironmentPrivilege	1996	wmic.exe
Token: SeRemoteShutdownPrivilege	1996	wmic.exe
Token: SeUndockPrivilege	1996	wmic.exe
Token: SeManageVolumePrivilege	1996	wmic.exe
Token: 33	1996	wmic.exe
Token: 34	1996	wmic.exe
Token: 35	1996	wmic.exe
Token: 36	1996	wmic.exe
Token: SeIncreaseQuotaPrivilege	1624	WMIC.exe
Token: SeSecurityPrivilege	1624	WMIC.exe
Token: SeTakeOwnershipPrivilege	1624	WMIC.exe
Token: SeLoadDriverPrivilege	1624	WMIC.exe
Token: SeSystemProfilePrivilege	1624	WMIC.exe
Token: SeSystemtimePrivilege	1624	WMIC.exe
Token: SeProfSingleProcessPrivilege	1624	WMIC.exe
Token: SeIncBasePriorityPrivilege	1624	WMIC.exe
Token: SeCreatePagefilePrivilege	1624	WMIC.exe
Token: SeBackupPrivilege	1624	WMIC.exe
Token: SeRestorePrivilege	1624	WMIC.exe
Token: SeShutdownPrivilege	1624	WMIC.exe
Token: SeDebugPrivilege	1624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1624	WMIC.exe
Token: SeRemoteShutdownPrivilege	1624	WMIC.exe
Token: SeUndockPrivilege	1624	WMIC.exe
Token: SeManageVolumePrivilege	1624	WMIC.exe
Token: 33	1624	WMIC.exe
Token: 34	1624	WMIC.exe
Token: 35	1624	WMIC.exe
Token: 36	1624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1624	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 1996	3180	a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe	101
PID 3180 wrote to memory of 1996	3180	a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe	101
PID 3180 wrote to memory of 1996	3180	a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe	101
PID 3180 wrote to memory of 1700	3180	a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe	107
PID 3180 wrote to memory of 1700	3180	a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe	107
PID 3180 wrote to memory of 1700	3180	a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe	107
PID 1700 wrote to memory of 1624	1700	cmd.exe	109
PID 1700 wrote to memory of 1624	1700	cmd.exe	109
PID 1700 wrote to memory of 1624	1700	cmd.exe	109
PID 3180 wrote to memory of 1788	3180	a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe	110
PID 3180 wrote to memory of 1788	3180	a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe	110
PID 3180 wrote to memory of 1788	3180	a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe	110
PID 1788 wrote to memory of 3976	1788	cmd.exe	112
PID 1788 wrote to memory of 3976	1788	cmd.exe	112
PID 1788 wrote to memory of 3976	1788	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe
"C:\Users\Admin\AppData\Local\Temp\a3339c6f5354fbcdbbc6285c3a5b8f9d65ad6ed87d6abeb42a5255fa2ddb71d6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 560
  2⤵
  - Program crash
  PID:892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 564
  2⤵
  - Program crash
  PID:2624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 604
  2⤵
  - Program crash
  PID:4340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 668
  2⤵
  - Program crash
  PID:3536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 812
  2⤵
  - Program crash
  PID:2892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 836
  2⤵
  - Program crash
  PID:2936
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1288
  2⤵
  - Program crash
  PID:1104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1340
  2⤵
  - Program crash
  PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:3976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 152
  2⤵
  - Program crash
  PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3180 -ip 3180
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3180 -ip 3180
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3180 -ip 3180
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3180 -ip 3180
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3180 -ip 3180
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3180 -ip 3180
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3180 -ip 3180
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3180 -ip 3180
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3180 -ip 3180
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3180-132-0x00000000033D0000-0x00000000038EF000-memory.dmp

Filesize
5.1MB

Download
memory/3180-133-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download
memory/3180-139-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download