50967225e0a17653fead9584ab5933ebb5e4006874d476437e20784766a028ca

Analysis

max time kernel
90s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2022 14:31

Target

file.exe
Size

413KB
MD5

09b79ffec9840c5a8a6449242b6fdf50
SHA1

5b5088c5516e43a37d9965792e073c5e377fee69
SHA256

50967225e0a17653fead9584ab5933ebb5e4006874d476437e20784766a028ca
SHA512

deb40e8f97cb365e1a0bb4e1eaa0b66c6806ef21222f074ec072e96dbb67ec87eae55cf8e7914ed7df619f355475095a343a5730717ad3d25da362d9155dbbda
SSDEEP

6144:WqmkLKHgLIu9JQ0ZZxJP48wlXLy0bVGDqJFqdHw5FxdJ3IDBuY7yZY:/mkOHgLIEJZr2XlxqdQ5jd2

Score

7^/10

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1948	892	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
892	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	892	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 1248
  2⤵
  - Program crash
  PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 892 -ip 892
1⤵
PID:4512

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/892-132-0x000000000056D000-0x00000000005A3000-memory.dmp

Filesize
216KB

Download
memory/892-133-0x0000000002200000-0x0000000002259000-memory.dmp

Filesize
356KB

Download
memory/892-134-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/892-135-0x0000000004D60000-0x0000000005304000-memory.dmp

Filesize
5.6MB

Download
memory/892-136-0x0000000005310000-0x0000000005928000-memory.dmp

Filesize
6.1MB

Download
memory/892-137-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/892-138-0x0000000005930000-0x0000000005A3A000-memory.dmp

Filesize
1.0MB

Download
memory/892-139-0x0000000004CB0000-0x0000000004CEC000-memory.dmp

Filesize
240KB

Download
memory/892-140-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/892-141-0x0000000006390000-0x0000000006422000-memory.dmp

Filesize
584KB

Download
memory/892-142-0x0000000006430000-0x00000000064A6000-memory.dmp

Filesize
472KB

Download
memory/892-143-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/892-144-0x00000000065A0000-0x0000000006762000-memory.dmp

Filesize
1.8MB

Download
memory/892-145-0x0000000006790000-0x0000000006CBC000-memory.dmp

Filesize
5.2MB

Download
memory/892-146-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download