0f656c5c5d2e47f1286e430f74c496d739f9d9282cddc4de2ecc1feb10430a73

Analysis

max time kernel
107s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2023, 21:31

Target

file.exe
Size

432KB
MD5

20e37089ced0e3bb1a1a3e01f12754dd
SHA1

08fd04e2599af62f1a41cbf640edfffc804f79cf
SHA256

0f656c5c5d2e47f1286e430f74c496d739f9d9282cddc4de2ecc1feb10430a73
SHA512

9bf8c0cb152c4ad2bd7b72fe69feb2f20476df582d83dc9233101b363f6e79c60853cadf78d9155fc7274cddb7c097cc2599bb4a06fa623e9962133d11e6b7c6
SSDEEP

12288:r3xTEGnGGlAYs29gUlOLAxLDBzYK9Ef+11pS:r3NbnreYl3MYvBzxA+/pS

Score

7^/10

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2800	2732	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2732	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1240
  2⤵
  - Program crash
  PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2732 -ip 2732
1⤵
PID:2976

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/2732-132-0x00000000075E0000-0x0000000007B84000-memory.dmp

Filesize
5.6MB

Download
memory/2732-133-0x0000000002EBD000-0x0000000002EF3000-memory.dmp

Filesize
216KB

Download
memory/2732-134-0x0000000002E00000-0x0000000002E59000-memory.dmp

Filesize
356KB

Download
memory/2732-135-0x0000000007B90000-0x00000000081A8000-memory.dmp

Filesize
6.1MB

Download
memory/2732-137-0x0000000000400000-0x0000000002C5F000-memory.dmp

Filesize
40.4MB

Download
memory/2732-136-0x0000000005110000-0x0000000005122000-memory.dmp

Filesize
72KB

Download
memory/2732-138-0x00000000081B0000-0x00000000082BA000-memory.dmp

Filesize
1.0MB

Download
memory/2732-139-0x0000000005130000-0x000000000516C000-memory.dmp

Filesize
240KB

Download
memory/2732-140-0x0000000008480000-0x00000000084E6000-memory.dmp

Filesize
408KB

Download
memory/2732-141-0x0000000008B40000-0x0000000008BD2000-memory.dmp

Filesize
584KB

Download
memory/2732-142-0x0000000008C00000-0x0000000008C76000-memory.dmp

Filesize
472KB

Download
memory/2732-143-0x0000000008CD0000-0x0000000008CEE000-memory.dmp

Filesize
120KB

Download
memory/2732-144-0x0000000008D80000-0x0000000008F42000-memory.dmp

Filesize
1.8MB

Download
memory/2732-145-0x0000000008F60000-0x000000000948C000-memory.dmp

Filesize
5.2MB

Download
memory/2732-146-0x0000000000400000-0x0000000002C5F000-memory.dmp

Filesize
40.4MB

Download