30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0

Analysis

max time kernel
90s
max time network
141s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18/10/2022, 09:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe
Size

6.3MB
MD5

4559d16581b12662ee65e822c6f771d8
SHA1

d3ef97e8eb088dc674dcbeefeb1f1944400f25e8
SHA256

30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0
SHA512

0c57ccff3a842cdd4a3ec88469bdf224115daf4dc443a684e980b113209f7a3b007fdf15353a516ba48c220e428acf39dc1ca796205910f74e9724aef8febdaf
SSDEEP

49152:bkmZbQsxBXQbKXmugFe6iRyhJ3jkqQVSfWVXqASv1x1dKO/5t7WGiocfGJDcjQcr:bkcbf6bKXzSjL+EnHOMz5ysZA5+bf6c

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 10 IoCs

pid	pid_target	Process	procid_target
2256	4208	WerFault.exe	65
2108	4208	WerFault.exe	65
4792	4208	WerFault.exe	65
4252	4208	WerFault.exe	65
1356	4208	WerFault.exe	65
2688	4208	WerFault.exe	65
4768	4208	WerFault.exe	65
4748	4208	WerFault.exe	65
4332	4208	WerFault.exe	65
2312	4208	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4284	wmic.exe
Token: SeSecurityPrivilege	4284	wmic.exe
Token: SeTakeOwnershipPrivilege	4284	wmic.exe
Token: SeLoadDriverPrivilege	4284	wmic.exe
Token: SeSystemProfilePrivilege	4284	wmic.exe
Token: SeSystemtimePrivilege	4284	wmic.exe
Token: SeProfSingleProcessPrivilege	4284	wmic.exe
Token: SeIncBasePriorityPrivilege	4284	wmic.exe
Token: SeCreatePagefilePrivilege	4284	wmic.exe
Token: SeBackupPrivilege	4284	wmic.exe
Token: SeRestorePrivilege	4284	wmic.exe
Token: SeShutdownPrivilege	4284	wmic.exe
Token: SeDebugPrivilege	4284	wmic.exe
Token: SeSystemEnvironmentPrivilege	4284	wmic.exe
Token: SeRemoteShutdownPrivilege	4284	wmic.exe
Token: SeUndockPrivilege	4284	wmic.exe
Token: SeManageVolumePrivilege	4284	wmic.exe
Token: 33	4284	wmic.exe
Token: 34	4284	wmic.exe
Token: 35	4284	wmic.exe
Token: 36	4284	wmic.exe
Token: SeIncreaseQuotaPrivilege	4284	wmic.exe
Token: SeSecurityPrivilege	4284	wmic.exe
Token: SeTakeOwnershipPrivilege	4284	wmic.exe
Token: SeLoadDriverPrivilege	4284	wmic.exe
Token: SeSystemProfilePrivilege	4284	wmic.exe
Token: SeSystemtimePrivilege	4284	wmic.exe
Token: SeProfSingleProcessPrivilege	4284	wmic.exe
Token: SeIncBasePriorityPrivilege	4284	wmic.exe
Token: SeCreatePagefilePrivilege	4284	wmic.exe
Token: SeBackupPrivilege	4284	wmic.exe
Token: SeRestorePrivilege	4284	wmic.exe
Token: SeShutdownPrivilege	4284	wmic.exe
Token: SeDebugPrivilege	4284	wmic.exe
Token: SeSystemEnvironmentPrivilege	4284	wmic.exe
Token: SeRemoteShutdownPrivilege	4284	wmic.exe
Token: SeUndockPrivilege	4284	wmic.exe
Token: SeManageVolumePrivilege	4284	wmic.exe
Token: 33	4284	wmic.exe
Token: 34	4284	wmic.exe
Token: 35	4284	wmic.exe
Token: 36	4284	wmic.exe
Token: SeIncreaseQuotaPrivilege	3740	WMIC.exe
Token: SeSecurityPrivilege	3740	WMIC.exe
Token: SeTakeOwnershipPrivilege	3740	WMIC.exe
Token: SeLoadDriverPrivilege	3740	WMIC.exe
Token: SeSystemProfilePrivilege	3740	WMIC.exe
Token: SeSystemtimePrivilege	3740	WMIC.exe
Token: SeProfSingleProcessPrivilege	3740	WMIC.exe
Token: SeIncBasePriorityPrivilege	3740	WMIC.exe
Token: SeCreatePagefilePrivilege	3740	WMIC.exe
Token: SeBackupPrivilege	3740	WMIC.exe
Token: SeRestorePrivilege	3740	WMIC.exe
Token: SeShutdownPrivilege	3740	WMIC.exe
Token: SeDebugPrivilege	3740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3740	WMIC.exe
Token: SeRemoteShutdownPrivilege	3740	WMIC.exe
Token: SeUndockPrivilege	3740	WMIC.exe
Token: SeManageVolumePrivilege	3740	WMIC.exe
Token: 33	3740	WMIC.exe
Token: 34	3740	WMIC.exe
Token: 35	3740	WMIC.exe
Token: 36	3740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3740	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4284	4208	30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe	73
PID 4208 wrote to memory of 4284	4208	30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe	73
PID 4208 wrote to memory of 4284	4208	30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe	73
PID 4208 wrote to memory of 3284	4208	30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe	79
PID 4208 wrote to memory of 3284	4208	30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe	79
PID 4208 wrote to memory of 3284	4208	30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe	79
PID 3284 wrote to memory of 3740	3284	cmd.exe	81
PID 3284 wrote to memory of 3740	3284	cmd.exe	81
PID 3284 wrote to memory of 3740	3284	cmd.exe	81
PID 4208 wrote to memory of 4856	4208	30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe	82
PID 4208 wrote to memory of 4856	4208	30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe	82
PID 4208 wrote to memory of 4856	4208	30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe	82
PID 4856 wrote to memory of 764	4856	cmd.exe	84
PID 4856 wrote to memory of 764	4856	cmd.exe	84
PID 4856 wrote to memory of 764	4856	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe
"C:\Users\Admin\AppData\Local\Temp\30aea6c89c155da505e528cb7b50a92572c4b3d4cea1d6880888b5a99c7b9ae0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 544
  2⤵
  - Program crash
  PID:2256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 560
  2⤵
  - Program crash
  PID:2108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 520
  2⤵
  - Program crash
  PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 656
  2⤵
  - Program crash
  PID:4252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 776
  2⤵
  - Program crash
  PID:1356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 876
  2⤵
  - Program crash
  PID:2688
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1328
  2⤵
  - Program crash
  PID:4768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1344
  2⤵
  - Program crash
  PID:4748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1396
  2⤵
  - Program crash
  PID:4332
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 312
  2⤵
  - Program crash
  PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4208-116-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-117-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-118-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-119-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-120-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-121-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-122-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-123-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-124-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-125-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-126-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-127-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-128-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-129-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-130-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-131-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-132-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-133-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-135-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-136-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-134-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-139-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-141-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-142-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-144-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-145-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-143-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-140-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-138-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-137-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-146-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-147-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-148-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-149-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-150-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-151-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-152-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-153-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-154-0x0000000003250000-0x000000000376F000-memory.dmp

Filesize
5.1MB

Download
memory/4208-155-0x0000000000400000-0x0000000000A55000-memory.dmp

Filesize
6.3MB

Download
memory/4208-156-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-157-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-158-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-159-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-160-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-162-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-161-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-163-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-164-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-165-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-166-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-167-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-382-0x0000000000400000-0x0000000000A55000-memory.dmp

Filesize
6.3MB

Download
memory/4284-169-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-170-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-171-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-172-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-173-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-175-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-174-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-176-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-177-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-179-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-178-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-180-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-181-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4284-182-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download