Analysis
-
max time kernel
91s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2022, 00:21
Static task
static1
General
-
Target
f42025f3717afc5f21441be0442c967be5c7295588032ed57671aa397ed9082b.exe
-
Size
334KB
-
MD5
00bc38fbf289a811cb24613ff60bab42
-
SHA1
0d561c6ac510b23de55bff15d76c94a8bebbbfdf
-
SHA256
f42025f3717afc5f21441be0442c967be5c7295588032ed57671aa397ed9082b
-
SHA512
bbbb98b21c6db03ed972d9276cc03b2ffbec80e79e37c64d7d362e0dc1c68ab29ee9fcbe7079111874056f63357905b1d7fa78faf7902efa1cfb31244c680ed8
-
SSDEEP
6144:4Ien0hLNtfHHm/TNznY+zV0p5rARYP0NA1mwoomzg3CgmCwxU0V6:4Ien8XsTNDzVqgYPAwooNSgmvCO
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 5092 2876 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2876 f42025f3717afc5f21441be0442c967be5c7295588032ed57671aa397ed9082b.exe 2876 f42025f3717afc5f21441be0442c967be5c7295588032ed57671aa397ed9082b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2876 f42025f3717afc5f21441be0442c967be5c7295588032ed57671aa397ed9082b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f42025f3717afc5f21441be0442c967be5c7295588032ed57671aa397ed9082b.exe"C:\Users\Admin\AppData\Local\Temp\f42025f3717afc5f21441be0442c967be5c7295588032ed57671aa397ed9082b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 19722⤵
- Program crash
PID:5092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2876 -ip 28761⤵PID:1136