Analysis
-
max time kernel
94s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2023 13:34
Static task
static1
General
-
Target
07b5fc2fbf3b37443b0defaba59d9caf9b404c6e77dd7817ba21b8cb175c6aa6.exe
-
Size
330KB
-
MD5
db5a86093aaf07720b576dba2773a906
-
SHA1
af731390c1ef139428ac6a8412315e9889b5b7ee
-
SHA256
07b5fc2fbf3b37443b0defaba59d9caf9b404c6e77dd7817ba21b8cb175c6aa6
-
SHA512
49a47fa2a994077e30504456bce2425f4a18bd66bddd7d32745b57763d15dccc8d590bb865e515be85c39ba13c8f02495f86dde1530cddf086876576ceb149a4
-
SSDEEP
6144:d33LdpeWDZAFd1wlOiudBZoMviq4jqPu4W9pCi:d33RpeWDkd1wlDoiBd9p
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3380 5020 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 5020 07b5fc2fbf3b37443b0defaba59d9caf9b404c6e77dd7817ba21b8cb175c6aa6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5020 07b5fc2fbf3b37443b0defaba59d9caf9b404c6e77dd7817ba21b8cb175c6aa6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b5fc2fbf3b37443b0defaba59d9caf9b404c6e77dd7817ba21b8cb175c6aa6.exe"C:\Users\Admin\AppData\Local\Temp\07b5fc2fbf3b37443b0defaba59d9caf9b404c6e77dd7817ba21b8cb175c6aa6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 12882⤵
- Program crash
PID:3380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5020 -ip 50201⤵PID:5104