469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6

Analysis

max time kernel
127s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2023, 02:31

Target

469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6.exe
Size

462KB
MD5

765df00ae025cd5e708c8f905717afab
SHA1

b5525cc6046115be644943da0668c7f96ec61e5b
SHA256

469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6
SHA512

c4bb1a3634785f83c5967e31986540decde368f8d23af5c5ce60ddce9a44b7d2042d6edd604afadfc25b15e09f3b494bcdddc127ecb2a4ede1016de93d72973c
SSDEEP

6144:5mLeNB6mBqES187kIQkvUQaKXMRFIBlloxupmL1E/DjT:5mQB6mBPSe7k8MQrBvoxupmL1E/

Score

7^/10

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1552	2700	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2700	469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6.exe

C:\Users\Admin\AppData\Local\Temp\469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6.exe
"C:\Users\Admin\AppData\Local\Temp\469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1504
  2⤵
  - Program crash
  PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2700 -ip 2700
1⤵
PID:5096

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/2700-132-0x0000000002EE7000-0x0000000002F16000-memory.dmp

Filesize
188KB

Download
memory/2700-133-0x0000000002DE0000-0x0000000002E2B000-memory.dmp

Filesize
300KB

Download
memory/2700-134-0x00000000076D0000-0x0000000007C74000-memory.dmp

Filesize
5.6MB

Download
memory/2700-135-0x0000000000400000-0x0000000002C66000-memory.dmp

Filesize
40.4MB

Download
memory/2700-136-0x0000000007C80000-0x0000000008298000-memory.dmp

Filesize
6.1MB

Download
memory/2700-137-0x0000000007550000-0x000000000765A000-memory.dmp

Filesize
1.0MB

Download
memory/2700-138-0x0000000005030000-0x0000000005042000-memory.dmp

Filesize
72KB

Download
memory/2700-139-0x0000000005050000-0x000000000508C000-memory.dmp

Filesize
240KB

Download
memory/2700-140-0x0000000008490000-0x0000000008522000-memory.dmp

Filesize
584KB

Download
memory/2700-141-0x0000000008530000-0x0000000008596000-memory.dmp

Filesize
408KB

Download
memory/2700-142-0x0000000008C40000-0x0000000008E02000-memory.dmp

Filesize
1.8MB

Download
memory/2700-143-0x0000000008E10000-0x000000000933C000-memory.dmp

Filesize
5.2MB

Download
memory/2700-144-0x0000000002EE7000-0x0000000002F16000-memory.dmp

Filesize
188KB

Download
memory/2700-145-0x0000000002EE7000-0x0000000002F16000-memory.dmp

Filesize
188KB

Download
memory/2700-146-0x0000000000400000-0x0000000002C66000-memory.dmp

Filesize
40.4MB

Download