Analysis
-
max time kernel
74s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2022 11:38
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
file.exe
-
Size
358KB
-
MD5
381e4c7a1710e50685d70d5c8f64bf0f
-
SHA1
3238069f1f6784fc4a2bab012639e2a8f137b2a6
-
SHA256
407312c530750f0320b643a45763bba006d313cefa8df72f463ec836d3f9de08
-
SHA512
2f9ff2926deaadde24c4fdcd2e0372df3d4769010c4f9b41ed584a5ffda73dc748873fb54fdcaa719037426c52dff4d4355f7b7389937db134ade90d27f20a44
-
SSDEEP
6144:Av6/B0LPN7gIFcZucmc9irChTWRNk5VP1ySqYXlnpTIU:Av6/mxMIFc/mc9icqRq9ySDXln
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4704 4584 WerFault.exe file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file.exepid process 4584 file.exe 4584 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 4584 file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 12562⤵
- Program crash
PID:4704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4584 -ip 45841⤵PID:3364