809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a

Analysis

max time kernel
127s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2022, 13:07

Target

809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe
Size

411KB
MD5

29f314f00e64d79108299860e97b6c92
SHA1

d73835c078b73ae8d4500bff678518a771d708b6
SHA256

809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a
SHA512

6c03557ed01c1b415f198ce1aa11183ddf62761ff2436abc4af4856dd48a93563e8760f8d9abea08a7c460e20b32230405871a7eeb83d71416f054fd68f3aef6
SSDEEP

6144:sv5L+Xp4RFrZrYcyOGlGTa+hL9Oc+ky/4AOmAH4rWlRjO1n:shyXp4RF1rYcyOGlGTa+hAcTiOerW9u

Score

7^/10

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1608	1112	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1112	809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe
1112	809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe

C:\Users\Admin\AppData\Local\Temp\809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe
"C:\Users\Admin\AppData\Local\Temp\809dcefa98dd4241cb443040b202bb0efd9f22c816927ed6c84b743e0cf6001a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1276
  2⤵
  - Program crash
  PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1112 -ip 1112
1⤵
PID:4444

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1112-132-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/1112-134-0x0000000000610000-0x000000000065B000-memory.dmp

Filesize
300KB

Download
memory/1112-133-0x00000000006F8000-0x0000000000726000-memory.dmp

Filesize
184KB

Download
memory/1112-135-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1112-136-0x00000000051E0000-0x00000000057F8000-memory.dmp

Filesize
6.1MB

Download
memory/1112-137-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/1112-138-0x0000000005980000-0x0000000005992000-memory.dmp

Filesize
72KB

Download
memory/1112-139-0x00000000059A0000-0x00000000059DC000-memory.dmp

Filesize
240KB

Download
memory/1112-140-0x0000000005C90000-0x0000000005D22000-memory.dmp

Filesize
584KB

Download
memory/1112-141-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/1112-142-0x0000000006530000-0x00000000065A6000-memory.dmp

Filesize
472KB

Download
memory/1112-143-0x00000000065B0000-0x0000000006600000-memory.dmp

Filesize
320KB

Download
memory/1112-144-0x0000000006630000-0x00000000067F2000-memory.dmp

Filesize
1.8MB

Download
memory/1112-145-0x0000000006840000-0x0000000006D6C000-memory.dmp

Filesize
5.2MB

Download
memory/1112-146-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download