fcabe524c56ca0d26b879bbcb6766c90bbcac6ce264f8218b1536b4a363ab46b

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcabe524c56ca0d26b879bbcb6766c90bbcac6ce264f8218b1536b4a363ab46b.exe
Size

200KB
MD5

4d2fd4f65f3421a7bc737143f735926a
SHA1

633bb2fe8f36c39673f053a85f44d59a5998d46e
SHA256

fcabe524c56ca0d26b879bbcb6766c90bbcac6ce264f8218b1536b4a363ab46b
SHA512

626522f0cf0522d9c9f677d3be2167fcd0685335fc61da4d48d2a255ea2695d590d999b7574a926cb9116d478c131427b65638010bc9e0001072a42052f865ef
SSDEEP

3072:HprbTNB1WDuJB8wZ4SraolOYLoO6cq6rRGBVnGupb0zVCSf+g:5bTNCcFaoAYLFzroBI8wR

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1760	0jpz.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2344	1760	WerFault.exe	85

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 1760	4732	fcabe524c56ca0d26b879bbcb6766c90bbcac6ce264f8218b1536b4a363ab46b.exe	85
PID 4732 wrote to memory of 1760	4732	fcabe524c56ca0d26b879bbcb6766c90bbcac6ce264f8218b1536b4a363ab46b.exe	85
PID 4732 wrote to memory of 1760	4732	fcabe524c56ca0d26b879bbcb6766c90bbcac6ce264f8218b1536b4a363ab46b.exe	85

C:\Users\Admin\AppData\Local\Temp\fcabe524c56ca0d26b879bbcb6766c90bbcac6ce264f8218b1536b4a363ab46b.exe
"C:\Users\Admin\AppData\Local\Temp\fcabe524c56ca0d26b879bbcb6766c90bbcac6ce264f8218b1536b4a363ab46b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- \??\c:\0jpz.exe
  c:\0jpz.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 496
    3⤵
    - Program crash
    PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1760 -ip 1760
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0jpz.exe

Filesize
18KB

MD5
eebf33097f5d59f7e220ab44bb2ce164

SHA1
790c50d01efd1e6cbbfdf78a3656d36dd325f364

SHA256
078448442075113f71deb0e6b16fad5bfc1b7d45b7eb6602cda3678b2831789d

SHA512
fad6030c1b8779f141a0aa2b9975b2d9e81588e04e99fa7e8a1479777a278bce4e27dccf3683531f09d1f569d190c6bcb9f392b995ae7dcc0a18ebab0229df47

Download Submit
\??\c:\0jpz.exe

Filesize
18KB

MD5
eebf33097f5d59f7e220ab44bb2ce164

SHA1
790c50d01efd1e6cbbfdf78a3656d36dd325f364

SHA256
078448442075113f71deb0e6b16fad5bfc1b7d45b7eb6602cda3678b2831789d

SHA512
fad6030c1b8779f141a0aa2b9975b2d9e81588e04e99fa7e8a1479777a278bce4e27dccf3683531f09d1f569d190c6bcb9f392b995ae7dcc0a18ebab0229df47

Download Submit