78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267

Analysis

max time kernel
50s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18/10/2022, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe
Size

6.3MB
MD5

311c52a9229aac878706a5b00b12a39b
SHA1

c4fc771e3dc0aff7a02b8ff99755a5c753d93060
SHA256

78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267
SHA512

cf969d02eb09e53aff95d5ace274c7f2f1a1ba37270a5ea9791164062549003a9cc84f1ec5cb097336c1b3be77868ef961a234d2b17a8d17d4854b89261b9a07
SSDEEP

49152:bkmZbQsxBXQbKXmuCFe6iRyhJ3jkqQVSfWVXqASv1x1dKO/5t7WGiocfGJDcjQcr:bkcbf6bKXlSjL+EnHOMz5ysZA5+bf6c

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4872	2196	WerFault.exe	65
4892	2196	WerFault.exe	65
4112	2196	WerFault.exe	65
3268	2196	WerFault.exe	65
4320	2196	WerFault.exe	65
4372	2196	WerFault.exe	65
5088	2196	WerFault.exe	65
2744	2196	WerFault.exe	65
3764	2196	WerFault.exe	65
96	2196	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4500	wmic.exe
Token: SeSecurityPrivilege	4500	wmic.exe
Token: SeTakeOwnershipPrivilege	4500	wmic.exe
Token: SeLoadDriverPrivilege	4500	wmic.exe
Token: SeSystemProfilePrivilege	4500	wmic.exe
Token: SeSystemtimePrivilege	4500	wmic.exe
Token: SeProfSingleProcessPrivilege	4500	wmic.exe
Token: SeIncBasePriorityPrivilege	4500	wmic.exe
Token: SeCreatePagefilePrivilege	4500	wmic.exe
Token: SeBackupPrivilege	4500	wmic.exe
Token: SeRestorePrivilege	4500	wmic.exe
Token: SeShutdownPrivilege	4500	wmic.exe
Token: SeDebugPrivilege	4500	wmic.exe
Token: SeSystemEnvironmentPrivilege	4500	wmic.exe
Token: SeRemoteShutdownPrivilege	4500	wmic.exe
Token: SeUndockPrivilege	4500	wmic.exe
Token: SeManageVolumePrivilege	4500	wmic.exe
Token: 33	4500	wmic.exe
Token: 34	4500	wmic.exe
Token: 35	4500	wmic.exe
Token: 36	4500	wmic.exe
Token: SeIncreaseQuotaPrivilege	4500	wmic.exe
Token: SeSecurityPrivilege	4500	wmic.exe
Token: SeTakeOwnershipPrivilege	4500	wmic.exe
Token: SeLoadDriverPrivilege	4500	wmic.exe
Token: SeSystemProfilePrivilege	4500	wmic.exe
Token: SeSystemtimePrivilege	4500	wmic.exe
Token: SeProfSingleProcessPrivilege	4500	wmic.exe
Token: SeIncBasePriorityPrivilege	4500	wmic.exe
Token: SeCreatePagefilePrivilege	4500	wmic.exe
Token: SeBackupPrivilege	4500	wmic.exe
Token: SeRestorePrivilege	4500	wmic.exe
Token: SeShutdownPrivilege	4500	wmic.exe
Token: SeDebugPrivilege	4500	wmic.exe
Token: SeSystemEnvironmentPrivilege	4500	wmic.exe
Token: SeRemoteShutdownPrivilege	4500	wmic.exe
Token: SeUndockPrivilege	4500	wmic.exe
Token: SeManageVolumePrivilege	4500	wmic.exe
Token: 33	4500	wmic.exe
Token: 34	4500	wmic.exe
Token: 35	4500	wmic.exe
Token: 36	4500	wmic.exe
Token: SeIncreaseQuotaPrivilege	4568	WMIC.exe
Token: SeSecurityPrivilege	4568	WMIC.exe
Token: SeTakeOwnershipPrivilege	4568	WMIC.exe
Token: SeLoadDriverPrivilege	4568	WMIC.exe
Token: SeSystemProfilePrivilege	4568	WMIC.exe
Token: SeSystemtimePrivilege	4568	WMIC.exe
Token: SeProfSingleProcessPrivilege	4568	WMIC.exe
Token: SeIncBasePriorityPrivilege	4568	WMIC.exe
Token: SeCreatePagefilePrivilege	4568	WMIC.exe
Token: SeBackupPrivilege	4568	WMIC.exe
Token: SeRestorePrivilege	4568	WMIC.exe
Token: SeShutdownPrivilege	4568	WMIC.exe
Token: SeDebugPrivilege	4568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4568	WMIC.exe
Token: SeRemoteShutdownPrivilege	4568	WMIC.exe
Token: SeUndockPrivilege	4568	WMIC.exe
Token: SeManageVolumePrivilege	4568	WMIC.exe
Token: 33	4568	WMIC.exe
Token: 34	4568	WMIC.exe
Token: 35	4568	WMIC.exe
Token: 36	4568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4568	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4500	2196	78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe	73
PID 2196 wrote to memory of 4500	2196	78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe	73
PID 2196 wrote to memory of 4500	2196	78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe	73
PID 2196 wrote to memory of 3928	2196	78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe	79
PID 2196 wrote to memory of 3928	2196	78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe	79
PID 2196 wrote to memory of 3928	2196	78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe	79
PID 3928 wrote to memory of 4568	3928	cmd.exe	81
PID 3928 wrote to memory of 4568	3928	cmd.exe	81
PID 3928 wrote to memory of 4568	3928	cmd.exe	81
PID 2196 wrote to memory of 4728	2196	78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe	82
PID 2196 wrote to memory of 4728	2196	78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe	82
PID 2196 wrote to memory of 4728	2196	78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe	82
PID 4728 wrote to memory of 4684	4728	cmd.exe	84
PID 4728 wrote to memory of 4684	4728	cmd.exe	84
PID 4728 wrote to memory of 4684	4728	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe
"C:\Users\Admin\AppData\Local\Temp\78ee9bc942de8fd1d99e764265b3af6011f80f28bc2b20951d56513d9f318267.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 544
  2⤵
  - Program crash
  PID:4872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 524
  2⤵
  - Program crash
  PID:4892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 588
  2⤵
  - Program crash
  PID:4112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 644
  2⤵
  - Program crash
  PID:3268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 612
  2⤵
  - Program crash
  PID:4320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 888
  2⤵
  - Program crash
  PID:4372
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1340
  2⤵
  - Program crash
  PID:5088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1388
  2⤵
  - Program crash
  PID:2744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1404
  2⤵
  - Program crash
  PID:3764
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 312
  2⤵
  - Program crash
  PID:96

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-120-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-121-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-122-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-123-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-124-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-125-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-126-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-127-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-128-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-129-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-130-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-131-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-132-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-133-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-134-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-135-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-136-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-137-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-138-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-139-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-140-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-141-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-142-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-143-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-144-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-145-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-146-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-147-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-148-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-149-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-150-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-151-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-152-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-153-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-154-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-155-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-156-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-157-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-158-0x00000000033E0000-0x00000000038FF000-memory.dmp

Filesize
5.1MB

Download
memory/2196-159-0x0000000000400000-0x0000000000A55000-memory.dmp

Filesize
6.3MB

Download
memory/2196-160-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-161-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-162-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-163-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-164-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-165-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-166-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-167-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-168-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-169-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-170-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-171-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-385-0x0000000000400000-0x0000000000A55000-memory.dmp

Filesize
6.3MB

Download
memory/2196-387-0x0000000000400000-0x0000000000A55000-memory.dmp

Filesize
6.3MB

Download
memory/4500-173-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-174-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-175-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-176-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-177-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-178-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-179-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-180-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-181-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-182-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-183-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-184-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-185-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4500-186-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download