48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439

Analysis

max time kernel
159s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:19

Target

48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe
Size

1.1MB
MD5

d08fcb46e2993eeb3cb8bd05cf4992ec
SHA1

c7c5799dc9cd19e25c99ea964ac2a6b3906e0c26
SHA256

48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439
SHA512

2c2932a0516de70f58942828210fd75519ac2d374e9f18f7cb4e4aa9618610ef128f0f44501f34a38dda9355c211ef38eefa660d352c1bfc58e5ea50bb018739
SSDEEP

24576:mjqAi9L/Qb8ogj7XYK+46TdvErsfpIlRKT+:m2Ai9LYPgjzV90fse+

Score

8^/10

spyware stealer

Executes dropped EXE 1 IoCs

Processes:

~GMDC5B.exe

pid process

968 ~GMDC5B.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4388 968 WerFault.exe ~GMDC5B.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe

description pid process

Token: SeDebugPrivilege 924 48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe

pid	process
968	~GMDC5B.exe

pid	pid_target	process	target process
4388	968	WerFault.exe	~GMDC5B.exe

description	pid	process
Token: SeDebugPrivilege	924	48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe

description	pid	process	target process
PID 924 wrote to memory of 968	924	48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe	~GMDC5B.exe
PID 924 wrote to memory of 968	924	48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe	~GMDC5B.exe
PID 924 wrote to memory of 968	924	48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe	~GMDC5B.exe

C:\Users\Admin\AppData\Local\Temp\~GMDC5B.exe
"C:\Users\Admin\AppData\Local\Temp\~GMDC5B.exe"
2⤵
- Executes dropped EXE
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 520
3⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 968 -ip 968
1⤵
PID:3376

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\~GMDC5B.exe

Filesize
772KB

MD5
ddaf2a6f69fb833093145e57cc3f1e31

SHA1
8e26dca2a0681e36f4ca5de8456484ad18bf576c

SHA256
a53bee3988ece590d6f220c0e2951fd5bd7c0a4729c60a4c2093fd9cfa9f8f76

SHA512
7c535375b26bffd240ac88fd3618f882b4ea5cb1421bbe68e0959151b446b65a11d1c8fe282cb14a3ea72747bfe4c10d956152e4ecf1cc09ce6a8dd24b5417a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~GMDC5B.exe

Filesize
772KB

MD5
ddaf2a6f69fb833093145e57cc3f1e31

SHA1
8e26dca2a0681e36f4ca5de8456484ad18bf576c

SHA256
a53bee3988ece590d6f220c0e2951fd5bd7c0a4729c60a4c2093fd9cfa9f8f76

SHA512
7c535375b26bffd240ac88fd3618f882b4ea5cb1421bbe68e0959151b446b65a11d1c8fe282cb14a3ea72747bfe4c10d956152e4ecf1cc09ce6a8dd24b5417a0

Download Submit
memory/968-132-0x0000000000000000-mapping.dmp

Download