a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db

Analysis

max time kernel
66s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2022 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe
Size

6.3MB
MD5

88b198508d4fcbc156e79d1eb2b78b85
SHA1

62770942aa1c5681dca1421bf7dfe7c2c8121290
SHA256

a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db
SHA512

b4b6204092694f18e218afe4092b10b049319a574e9d8d96dd7313e652e87339d0bf4b45e58153543622820e3b1728d42829fabfab4d7ad0e824569a6edda8bd
SSDEEP

49152:bkmZbQsxBXQbKXmugFe6iRyhJ3jkqQVSfWVXqASv1x1dKO/5t7WGiocfGJDcjQcr:bkcbf6bKXzSjL+EnHOMz5ysZA5+bf6c

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4988	4876	WerFault.exe	82
5012	4876	WerFault.exe	82
1340	4876	WerFault.exe	82
2796	4876	WerFault.exe	82
652	4876	WerFault.exe	82
4812	4876	WerFault.exe	82
1628	4876	WerFault.exe	82
2248	4876	WerFault.exe	82
900	4876	WerFault.exe	82

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1104	wmic.exe
Token: SeSecurityPrivilege	1104	wmic.exe
Token: SeTakeOwnershipPrivilege	1104	wmic.exe
Token: SeLoadDriverPrivilege	1104	wmic.exe
Token: SeSystemProfilePrivilege	1104	wmic.exe
Token: SeSystemtimePrivilege	1104	wmic.exe
Token: SeProfSingleProcessPrivilege	1104	wmic.exe
Token: SeIncBasePriorityPrivilege	1104	wmic.exe
Token: SeCreatePagefilePrivilege	1104	wmic.exe
Token: SeBackupPrivilege	1104	wmic.exe
Token: SeRestorePrivilege	1104	wmic.exe
Token: SeShutdownPrivilege	1104	wmic.exe
Token: SeDebugPrivilege	1104	wmic.exe
Token: SeSystemEnvironmentPrivilege	1104	wmic.exe
Token: SeRemoteShutdownPrivilege	1104	wmic.exe
Token: SeUndockPrivilege	1104	wmic.exe
Token: SeManageVolumePrivilege	1104	wmic.exe
Token: 33	1104	wmic.exe
Token: 34	1104	wmic.exe
Token: 35	1104	wmic.exe
Token: 36	1104	wmic.exe
Token: SeIncreaseQuotaPrivilege	1104	wmic.exe
Token: SeSecurityPrivilege	1104	wmic.exe
Token: SeTakeOwnershipPrivilege	1104	wmic.exe
Token: SeLoadDriverPrivilege	1104	wmic.exe
Token: SeSystemProfilePrivilege	1104	wmic.exe
Token: SeSystemtimePrivilege	1104	wmic.exe
Token: SeProfSingleProcessPrivilege	1104	wmic.exe
Token: SeIncBasePriorityPrivilege	1104	wmic.exe
Token: SeCreatePagefilePrivilege	1104	wmic.exe
Token: SeBackupPrivilege	1104	wmic.exe
Token: SeRestorePrivilege	1104	wmic.exe
Token: SeShutdownPrivilege	1104	wmic.exe
Token: SeDebugPrivilege	1104	wmic.exe
Token: SeSystemEnvironmentPrivilege	1104	wmic.exe
Token: SeRemoteShutdownPrivilege	1104	wmic.exe
Token: SeUndockPrivilege	1104	wmic.exe
Token: SeManageVolumePrivilege	1104	wmic.exe
Token: 33	1104	wmic.exe
Token: 34	1104	wmic.exe
Token: 35	1104	wmic.exe
Token: 36	1104	wmic.exe
Token: SeIncreaseQuotaPrivilege	1244	WMIC.exe
Token: SeSecurityPrivilege	1244	WMIC.exe
Token: SeTakeOwnershipPrivilege	1244	WMIC.exe
Token: SeLoadDriverPrivilege	1244	WMIC.exe
Token: SeSystemProfilePrivilege	1244	WMIC.exe
Token: SeSystemtimePrivilege	1244	WMIC.exe
Token: SeProfSingleProcessPrivilege	1244	WMIC.exe
Token: SeIncBasePriorityPrivilege	1244	WMIC.exe
Token: SeCreatePagefilePrivilege	1244	WMIC.exe
Token: SeBackupPrivilege	1244	WMIC.exe
Token: SeRestorePrivilege	1244	WMIC.exe
Token: SeShutdownPrivilege	1244	WMIC.exe
Token: SeDebugPrivilege	1244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1244	WMIC.exe
Token: SeRemoteShutdownPrivilege	1244	WMIC.exe
Token: SeUndockPrivilege	1244	WMIC.exe
Token: SeManageVolumePrivilege	1244	WMIC.exe
Token: 33	1244	WMIC.exe
Token: 34	1244	WMIC.exe
Token: 35	1244	WMIC.exe
Token: 36	1244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1244	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 1104	4876	a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe	96
PID 4876 wrote to memory of 1104	4876	a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe	96
PID 4876 wrote to memory of 1104	4876	a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe	96
PID 4876 wrote to memory of 228	4876	a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe	102
PID 4876 wrote to memory of 228	4876	a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe	102
PID 4876 wrote to memory of 228	4876	a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe	102
PID 228 wrote to memory of 1244	228	cmd.exe	104
PID 228 wrote to memory of 1244	228	cmd.exe	104
PID 228 wrote to memory of 1244	228	cmd.exe	104
PID 4876 wrote to memory of 4060	4876	a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe	105
PID 4876 wrote to memory of 4060	4876	a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe	105
PID 4876 wrote to memory of 4060	4876	a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe	105
PID 4060 wrote to memory of 4324	4060	cmd.exe	107
PID 4060 wrote to memory of 4324	4060	cmd.exe	107
PID 4060 wrote to memory of 4324	4060	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe
"C:\Users\Admin\AppData\Local\Temp\a51965b83aa781d74dfaa494891dd8bbe9909f51132b80debf0111f1ae2c69db.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 504
  2⤵
  - Program crash
  PID:4988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 584
  2⤵
  - Program crash
  PID:5012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 624
  2⤵
  - Program crash
  PID:1340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 668
  2⤵
  - Program crash
  PID:2796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 788
  2⤵
  - Program crash
  PID:652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 880
  2⤵
  - Program crash
  PID:4812
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1324
  2⤵
  - Program crash
  PID:1628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1384
  2⤵
  - Program crash
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 140
  2⤵
  - Program crash
  PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4876 -ip 4876
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4876 -ip 4876
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4876 -ip 4876
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4876 -ip 4876
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4876 -ip 4876
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4876 -ip 4876
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4876 -ip 4876
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4876 -ip 4876
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4876 -ip 4876
1⤵
PID:3388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/228-135-0x0000000000000000-mapping.dmp

Download
memory/1104-134-0x0000000000000000-mapping.dmp

Download
memory/1244-136-0x0000000000000000-mapping.dmp

Download
memory/4060-137-0x0000000000000000-mapping.dmp

Download
memory/4324-138-0x0000000000000000-mapping.dmp

Download
memory/4876-132-0x00000000033C0000-0x00000000038DF000-memory.dmp

Filesize
5.1MB

Download
memory/4876-133-0x0000000000400000-0x0000000000A55000-memory.dmp

Filesize
6.3MB

Download
memory/4876-139-0x0000000000400000-0x0000000000A55000-memory.dmp

Filesize
6.3MB

Download