Analysis
-
max time kernel
176s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 20:22
Static task
static1
Behavioral task
behavioral1
Sample
7776016bbea5b4c7e67f9bda2d6493444cf785b9115ce.exe
Resource
win7-20221111-en
General
-
Target
7776016bbea5b4c7e67f9bda2d6493444cf785b9115ce.exe
-
Size
297KB
-
MD5
db0eb86ca71632c262136c286b22d7b0
-
SHA1
f6c27bbc17b2e9d8197a38216faf3bafd15a3526
-
SHA256
7776016bbea5b4c7e67f9bda2d6493444cf785b9115cee0ee905e865177ecb69
-
SHA512
12bc96489e2098842d406fbbcfbd7f3b6e401a7cebb83f5e1580e668fd7260a980c175444a8f3efadabfe82e27bebadbfb89568de2b2f49172da00adc7b1bde5
-
SSDEEP
6144:QsjPWM7wEAm+ANAi1HDHAE9n68XJHnJpcUlGO2D:Q4FlXDHAEJJJHoUw
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4196 4364 WerFault.exe 7776016bbea5b4c7e67f9bda2d6493444cf785b9115ce.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7776016bbea5b4c7e67f9bda2d6493444cf785b9115ce.exepid process 4364 7776016bbea5b4c7e67f9bda2d6493444cf785b9115ce.exe 4364 7776016bbea5b4c7e67f9bda2d6493444cf785b9115ce.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7776016bbea5b4c7e67f9bda2d6493444cf785b9115ce.exedescription pid process Token: SeDebugPrivilege 4364 7776016bbea5b4c7e67f9bda2d6493444cf785b9115ce.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7776016bbea5b4c7e67f9bda2d6493444cf785b9115ce.exe"C:\Users\Admin\AppData\Local\Temp\7776016bbea5b4c7e67f9bda2d6493444cf785b9115ce.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 15202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4364 -ip 43641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4364-132-0x000000000062D000-0x0000000000664000-memory.dmpFilesize
220KB
-
memory/4364-133-0x00000000021B0000-0x0000000002208000-memory.dmpFilesize
352KB
-
memory/4364-134-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4364-135-0x0000000004D00000-0x00000000052A4000-memory.dmpFilesize
5.6MB
-
memory/4364-136-0x00000000052B0000-0x00000000058C8000-memory.dmpFilesize
6.1MB
-
memory/4364-137-0x0000000004C70000-0x0000000004C82000-memory.dmpFilesize
72KB
-
memory/4364-138-0x00000000058D0000-0x00000000059DA000-memory.dmpFilesize
1.0MB
-
memory/4364-139-0x000000000062D000-0x0000000000664000-memory.dmpFilesize
220KB
-
memory/4364-140-0x00000000021B0000-0x0000000002208000-memory.dmpFilesize
352KB
-
memory/4364-141-0x0000000004C90000-0x0000000004CCC000-memory.dmpFilesize
240KB
-
memory/4364-142-0x0000000000710000-0x00000000007A2000-memory.dmpFilesize
584KB
-
memory/4364-143-0x00000000008B0000-0x0000000000916000-memory.dmpFilesize
408KB
-
memory/4364-144-0x0000000006430000-0x0000000006480000-memory.dmpFilesize
320KB
-
memory/4364-145-0x0000000006490000-0x0000000006506000-memory.dmpFilesize
472KB
-
memory/4364-146-0x00000000066B0000-0x0000000006872000-memory.dmpFilesize
1.8MB
-
memory/4364-147-0x0000000007360000-0x000000000788C000-memory.dmpFilesize
5.2MB
-
memory/4364-148-0x0000000006B30000-0x0000000006B4E000-memory.dmpFilesize
120KB