37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d

Analysis

max time kernel
100s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2022 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe
Size

6.3MB
MD5

69b628b5f9cb5dd597f040b52532acc3
SHA1

3e5d80d7ef488ab8ff4128d442f54b4c53dfcfbb
SHA256

37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d
SHA512

13e0f6a9ce8bc19fed61ee78962ccd2106e96e6164eb9aa57f1ae0ec5c09e9adf937a62cbdf20f51d96fef52f56c7f2848376efeb10d7017a5b95da196bd5ba4
SSDEEP

49152:bkmZbQsxBXQbKXmuuFe6iRyhJ3jkqQVSfWVXqASv1x1dKO/5t7WGiocfGJDcjQcr:bkcbf6bKXpSjL+EnHOMz5ysZA5+bf6c

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4320	4540	WerFault.exe	82
2860	4540	WerFault.exe	82
2208	4540	WerFault.exe	82
3792	4540	WerFault.exe	82
2360	4540	WerFault.exe	82
1856	4540	WerFault.exe	82
4948	4540	WerFault.exe	82
4548	4540	WerFault.exe	82
1076	4540	WerFault.exe	82

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3936	wmic.exe
Token: SeSecurityPrivilege	3936	wmic.exe
Token: SeTakeOwnershipPrivilege	3936	wmic.exe
Token: SeLoadDriverPrivilege	3936	wmic.exe
Token: SeSystemProfilePrivilege	3936	wmic.exe
Token: SeSystemtimePrivilege	3936	wmic.exe
Token: SeProfSingleProcessPrivilege	3936	wmic.exe
Token: SeIncBasePriorityPrivilege	3936	wmic.exe
Token: SeCreatePagefilePrivilege	3936	wmic.exe
Token: SeBackupPrivilege	3936	wmic.exe
Token: SeRestorePrivilege	3936	wmic.exe
Token: SeShutdownPrivilege	3936	wmic.exe
Token: SeDebugPrivilege	3936	wmic.exe
Token: SeSystemEnvironmentPrivilege	3936	wmic.exe
Token: SeRemoteShutdownPrivilege	3936	wmic.exe
Token: SeUndockPrivilege	3936	wmic.exe
Token: SeManageVolumePrivilege	3936	wmic.exe
Token: 33	3936	wmic.exe
Token: 34	3936	wmic.exe
Token: 35	3936	wmic.exe
Token: 36	3936	wmic.exe
Token: SeIncreaseQuotaPrivilege	3936	wmic.exe
Token: SeSecurityPrivilege	3936	wmic.exe
Token: SeTakeOwnershipPrivilege	3936	wmic.exe
Token: SeLoadDriverPrivilege	3936	wmic.exe
Token: SeSystemProfilePrivilege	3936	wmic.exe
Token: SeSystemtimePrivilege	3936	wmic.exe
Token: SeProfSingleProcessPrivilege	3936	wmic.exe
Token: SeIncBasePriorityPrivilege	3936	wmic.exe
Token: SeCreatePagefilePrivilege	3936	wmic.exe
Token: SeBackupPrivilege	3936	wmic.exe
Token: SeRestorePrivilege	3936	wmic.exe
Token: SeShutdownPrivilege	3936	wmic.exe
Token: SeDebugPrivilege	3936	wmic.exe
Token: SeSystemEnvironmentPrivilege	3936	wmic.exe
Token: SeRemoteShutdownPrivilege	3936	wmic.exe
Token: SeUndockPrivilege	3936	wmic.exe
Token: SeManageVolumePrivilege	3936	wmic.exe
Token: 33	3936	wmic.exe
Token: 34	3936	wmic.exe
Token: 35	3936	wmic.exe
Token: 36	3936	wmic.exe
Token: SeIncreaseQuotaPrivilege	3156	WMIC.exe
Token: SeSecurityPrivilege	3156	WMIC.exe
Token: SeTakeOwnershipPrivilege	3156	WMIC.exe
Token: SeLoadDriverPrivilege	3156	WMIC.exe
Token: SeSystemProfilePrivilege	3156	WMIC.exe
Token: SeSystemtimePrivilege	3156	WMIC.exe
Token: SeProfSingleProcessPrivilege	3156	WMIC.exe
Token: SeIncBasePriorityPrivilege	3156	WMIC.exe
Token: SeCreatePagefilePrivilege	3156	WMIC.exe
Token: SeBackupPrivilege	3156	WMIC.exe
Token: SeRestorePrivilege	3156	WMIC.exe
Token: SeShutdownPrivilege	3156	WMIC.exe
Token: SeDebugPrivilege	3156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3156	WMIC.exe
Token: SeRemoteShutdownPrivilege	3156	WMIC.exe
Token: SeUndockPrivilege	3156	WMIC.exe
Token: SeManageVolumePrivilege	3156	WMIC.exe
Token: 33	3156	WMIC.exe
Token: 34	3156	WMIC.exe
Token: 35	3156	WMIC.exe
Token: 36	3156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3156	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 3936	4540	37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe	101
PID 4540 wrote to memory of 3936	4540	37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe	101
PID 4540 wrote to memory of 3936	4540	37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe	101
PID 4540 wrote to memory of 4980	4540	37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe	108
PID 4540 wrote to memory of 4980	4540	37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe	108
PID 4540 wrote to memory of 4980	4540	37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe	108
PID 4980 wrote to memory of 3156	4980	cmd.exe	110
PID 4980 wrote to memory of 3156	4980	cmd.exe	110
PID 4980 wrote to memory of 3156	4980	cmd.exe	110
PID 4540 wrote to memory of 2088	4540	37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe	111
PID 4540 wrote to memory of 2088	4540	37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe	111
PID 4540 wrote to memory of 2088	4540	37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe	111
PID 2088 wrote to memory of 5076	2088	cmd.exe	113
PID 2088 wrote to memory of 5076	2088	cmd.exe	113
PID 2088 wrote to memory of 5076	2088	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe
"C:\Users\Admin\AppData\Local\Temp\37558dbfd77792659eba1d3a10e84b308be22a7472278f4728b4df0de0fec72d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 560
  2⤵
  - Program crash
  PID:4320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 564
  2⤵
  - Program crash
  PID:2860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 564
  2⤵
  - Program crash
  PID:2208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 612
  2⤵
  - Program crash
  PID:3792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 652
  2⤵
  - Program crash
  PID:2360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 868
  2⤵
  - Program crash
  PID:1856
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1328
  2⤵
  - Program crash
  PID:4948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1392
  2⤵
  - Program crash
  PID:4548
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:5076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 140
  2⤵
  - Program crash
  PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4540 -ip 4540
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4540 -ip 4540
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4540 -ip 4540
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4540 -ip 4540
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4540 -ip 4540
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4540 -ip 4540
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4540 -ip 4540
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4540 -ip 4540
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4540 -ip 4540
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2088-138-0x0000000000000000-mapping.dmp

Download
memory/3156-137-0x0000000000000000-mapping.dmp

Download
memory/3936-134-0x0000000000000000-mapping.dmp

Download
memory/4540-132-0x00000000033D0000-0x00000000038EF000-memory.dmp

Filesize
5.1MB

Download
memory/4540-133-0x0000000000400000-0x0000000000A55000-memory.dmp

Filesize
6.3MB

Download
memory/4540-135-0x0000000000400000-0x0000000000A55000-memory.dmp

Filesize
6.3MB

Download
memory/4540-140-0x0000000000400000-0x0000000000A55000-memory.dmp

Filesize
6.3MB

Download
memory/4980-136-0x0000000000000000-mapping.dmp

Download
memory/5076-139-0x0000000000000000-mapping.dmp

Download