4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0

Analysis

max time kernel
92s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0.exe
Size

4.4MB
MD5

7bfb9857ff0e405469350c8fc73b484f
SHA1

ff7de3f2ef69e7fa477ee1850c21a577113310fd
SHA256

4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0
SHA512

207b98ea65e61e8d38cd35a3e60f984de4f0741b84d7a2a4a06cf664be7c30e8e704ab55d732283776f6294642f1428497a21499e9223aad6e998b4105a2e4f7
SSDEEP

49152:z39Gf5NIemiesn/gbmtvKtQkyNfTah5EGitGQnldFRia01F:Mf1leF5E3G8l6

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4944	wmic.exe
Token: SeSecurityPrivilege	4944	wmic.exe
Token: SeTakeOwnershipPrivilege	4944	wmic.exe
Token: SeLoadDriverPrivilege	4944	wmic.exe
Token: SeSystemProfilePrivilege	4944	wmic.exe
Token: SeSystemtimePrivilege	4944	wmic.exe
Token: SeProfSingleProcessPrivilege	4944	wmic.exe
Token: SeIncBasePriorityPrivilege	4944	wmic.exe
Token: SeCreatePagefilePrivilege	4944	wmic.exe
Token: SeBackupPrivilege	4944	wmic.exe
Token: SeRestorePrivilege	4944	wmic.exe
Token: SeShutdownPrivilege	4944	wmic.exe
Token: SeDebugPrivilege	4944	wmic.exe
Token: SeSystemEnvironmentPrivilege	4944	wmic.exe
Token: SeRemoteShutdownPrivilege	4944	wmic.exe
Token: SeUndockPrivilege	4944	wmic.exe
Token: SeManageVolumePrivilege	4944	wmic.exe
Token: 33	4944	wmic.exe
Token: 34	4944	wmic.exe
Token: 35	4944	wmic.exe
Token: 36	4944	wmic.exe
Token: SeIncreaseQuotaPrivilege	4944	wmic.exe
Token: SeSecurityPrivilege	4944	wmic.exe
Token: SeTakeOwnershipPrivilege	4944	wmic.exe
Token: SeLoadDriverPrivilege	4944	wmic.exe
Token: SeSystemProfilePrivilege	4944	wmic.exe
Token: SeSystemtimePrivilege	4944	wmic.exe
Token: SeProfSingleProcessPrivilege	4944	wmic.exe
Token: SeIncBasePriorityPrivilege	4944	wmic.exe
Token: SeCreatePagefilePrivilege	4944	wmic.exe
Token: SeBackupPrivilege	4944	wmic.exe
Token: SeRestorePrivilege	4944	wmic.exe
Token: SeShutdownPrivilege	4944	wmic.exe
Token: SeDebugPrivilege	4944	wmic.exe
Token: SeSystemEnvironmentPrivilege	4944	wmic.exe
Token: SeRemoteShutdownPrivilege	4944	wmic.exe
Token: SeUndockPrivilege	4944	wmic.exe
Token: SeManageVolumePrivilege	4944	wmic.exe
Token: 33	4944	wmic.exe
Token: 34	4944	wmic.exe
Token: 35	4944	wmic.exe
Token: 36	4944	wmic.exe
Token: SeIncreaseQuotaPrivilege	1256	WMIC.exe
Token: SeSecurityPrivilege	1256	WMIC.exe
Token: SeTakeOwnershipPrivilege	1256	WMIC.exe
Token: SeLoadDriverPrivilege	1256	WMIC.exe
Token: SeSystemProfilePrivilege	1256	WMIC.exe
Token: SeSystemtimePrivilege	1256	WMIC.exe
Token: SeProfSingleProcessPrivilege	1256	WMIC.exe
Token: SeIncBasePriorityPrivilege	1256	WMIC.exe
Token: SeCreatePagefilePrivilege	1256	WMIC.exe
Token: SeBackupPrivilege	1256	WMIC.exe
Token: SeRestorePrivilege	1256	WMIC.exe
Token: SeShutdownPrivilege	1256	WMIC.exe
Token: SeDebugPrivilege	1256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1256	WMIC.exe
Token: SeRemoteShutdownPrivilege	1256	WMIC.exe
Token: SeUndockPrivilege	1256	WMIC.exe
Token: SeManageVolumePrivilege	1256	WMIC.exe
Token: 33	1256	WMIC.exe
Token: 34	1256	WMIC.exe
Token: 35	1256	WMIC.exe
Token: 36	1256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1256	WMIC.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 4944	2292	4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0.exe	80
PID 2292 wrote to memory of 4944	2292	4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0.exe	80
PID 2292 wrote to memory of 4904	2292	4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0.exe	82
PID 2292 wrote to memory of 4904	2292	4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0.exe	82
PID 4904 wrote to memory of 1256	4904	cmd.exe	84
PID 4904 wrote to memory of 1256	4904	cmd.exe	84
PID 2292 wrote to memory of 1232	2292	4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0.exe	85
PID 2292 wrote to memory of 1232	2292	4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0.exe	85
PID 1232 wrote to memory of 3844	1232	cmd.exe	87
PID 1232 wrote to memory of 3844	1232	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0.exe
"C:\Users\Admin\AppData\Local\Temp\4e7b3bfa6edf5cf57bd1ddefc3838a6da7b70db15dc306c27393c0c98b16c4d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\system32\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- C:\Windows\system32\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...