Analysis
-
max time kernel
127s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2022, 13:07
Static task
static1
General
-
Target
809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe
-
Size
411KB
-
MD5
29f314f00e64d79108299860e97b6c92
-
SHA1
d73835c078b73ae8d4500bff678518a771d708b6
-
SHA256
809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a
-
SHA512
6c03557ed01c1b415f198ce1aa11183ddf62761ff2436abc4af4856dd48a93563e8760f8d9abea08a7c460e20b32230405871a7eeb83d71416f054fd68f3aef6
-
SSDEEP
6144:sv5L+Xp4RFrZrYcyOGlGTa+hL9Oc+ky/4AOmAH4rWlRjO1n:shyXp4RF1rYcyOGlGTa+hAcTiOerW9u
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1608 1112 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1112 809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe 1112 809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1112 809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe"C:\Users\Admin\AppData\Local\Temp\809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 12762⤵
- Program crash
PID:1608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1112 -ip 11121⤵PID:4444