Analysis
-
max time kernel
58s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2022 13:21
Static task
static1
Behavioral task
behavioral1
Sample
db720d33df5146fd770339902f9d5ae9db807856a95f2080b8e3c9a444e44fc2.exe
Resource
win7-20221111-en
General
-
Target
db720d33df5146fd770339902f9d5ae9db807856a95f2080b8e3c9a444e44fc2.exe
-
Size
428KB
-
MD5
6572b92ad414cbfdaa8c1f22aa2a2d1b
-
SHA1
7a8ec27f15f5fe7031ce78ce779a89ae9816079e
-
SHA256
db720d33df5146fd770339902f9d5ae9db807856a95f2080b8e3c9a444e44fc2
-
SHA512
98994fba0bbdbadb2d953b81dc6d7773d1dac46c1e4862c31dc843df8cafee017e73a3af497ef91d1d83dbda68e1ecba6b1ad8340e2d114622eacb40013ac82b
-
SSDEEP
12288:UYwNUOPC+rS44VXm73nomqYGgM9F2I4UdT:URPVrv7YmpM9F27wT
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1740 3808 WerFault.exe db720d33df5146fd770339902f9d5ae9db807856a95f2080b8e3c9a444e44fc2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
db720d33df5146fd770339902f9d5ae9db807856a95f2080b8e3c9a444e44fc2.exepid process 3808 db720d33df5146fd770339902f9d5ae9db807856a95f2080b8e3c9a444e44fc2.exe 3808 db720d33df5146fd770339902f9d5ae9db807856a95f2080b8e3c9a444e44fc2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
db720d33df5146fd770339902f9d5ae9db807856a95f2080b8e3c9a444e44fc2.exedescription pid process Token: SeDebugPrivilege 3808 db720d33df5146fd770339902f9d5ae9db807856a95f2080b8e3c9a444e44fc2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db720d33df5146fd770339902f9d5ae9db807856a95f2080b8e3c9a444e44fc2.exe"C:\Users\Admin\AppData\Local\Temp\db720d33df5146fd770339902f9d5ae9db807856a95f2080b8e3c9a444e44fc2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 12482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3808 -ip 38081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3808-132-0x0000000000B02000-0x0000000000B38000-memory.dmpFilesize
216KB
-
memory/3808-133-0x00000000024D0000-0x0000000002529000-memory.dmpFilesize
356KB
-
memory/3808-134-0x0000000000400000-0x000000000086E000-memory.dmpFilesize
4.4MB
-
memory/3808-135-0x00000000051A0000-0x0000000005744000-memory.dmpFilesize
5.6MB
-
memory/3808-136-0x0000000005750000-0x0000000005D68000-memory.dmpFilesize
6.1MB
-
memory/3808-137-0x0000000005070000-0x0000000005082000-memory.dmpFilesize
72KB
-
memory/3808-138-0x0000000005D70000-0x0000000005E7A000-memory.dmpFilesize
1.0MB
-
memory/3808-139-0x0000000005090000-0x00000000050CC000-memory.dmpFilesize
240KB
-
memory/3808-140-0x0000000006090000-0x00000000060F6000-memory.dmpFilesize
408KB
-
memory/3808-141-0x0000000006750000-0x00000000067E2000-memory.dmpFilesize
584KB
-
memory/3808-142-0x0000000006910000-0x0000000006986000-memory.dmpFilesize
472KB
-
memory/3808-143-0x00000000069D0000-0x00000000069EE000-memory.dmpFilesize
120KB
-
memory/3808-144-0x0000000006A90000-0x0000000006C52000-memory.dmpFilesize
1.8MB
-
memory/3808-145-0x0000000006C70000-0x000000000719C000-memory.dmpFilesize
5.2MB
-
memory/3808-146-0x0000000000B02000-0x0000000000B38000-memory.dmpFilesize
216KB
-
memory/3808-147-0x00000000024D0000-0x0000000002529000-memory.dmpFilesize
356KB
-
memory/3808-148-0x0000000000400000-0x000000000086E000-memory.dmpFilesize
4.4MB