8c24f73166c439b017fb4490921e52cc2ecd8b98cfc645e0c585f0ec121eea17

Analysis

max time kernel
91s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2023 08:02

Target

file.exe
Size

439KB
MD5

5a87d2753764faf18385d3b935b005d7
SHA1

cd44a5e9c5f30b2455936e939217d267e82dd14c
SHA256

8c24f73166c439b017fb4490921e52cc2ecd8b98cfc645e0c585f0ec121eea17
SHA512

01450247e21c7092f2e820116db07cd6597ed2327e087e6955e528c7af19a5553af30e8a3f2da75203db500476314757b9f9734b2b04a30fd46fef3711c47dae
SSDEEP

6144:aJoLCsrtzJNMJo5jwbu0NZ8R4rEF9YAVb+VrfqNtBv45+JJui6Wb:aJoOsrtVSzZ8RYse0b+rYtBQMJoi

Score

7^/10

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4580	792	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
792	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	792	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 1724
  2⤵
  - Program crash
  PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 792 -ip 792
1⤵
PID:4396

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/792-132-0x000000000323D000-0x0000000003273000-memory.dmp

Filesize
216KB

Download
memory/792-133-0x0000000004DC0000-0x0000000004E19000-memory.dmp

Filesize
356KB

Download
memory/792-134-0x00000000077A0000-0x0000000007D44000-memory.dmp

Filesize
5.6MB

Download
memory/792-135-0x0000000000400000-0x0000000003031000-memory.dmp

Filesize
44.2MB

Download
memory/792-136-0x0000000007DA0000-0x00000000083B8000-memory.dmp

Filesize
6.1MB

Download
memory/792-137-0x0000000008420000-0x0000000008432000-memory.dmp

Filesize
72KB

Download
memory/792-138-0x0000000008440000-0x000000000854A000-memory.dmp

Filesize
1.0MB

Download
memory/792-139-0x0000000008550000-0x000000000858C000-memory.dmp

Filesize
240KB

Download
memory/792-140-0x0000000008860000-0x00000000088F2000-memory.dmp

Filesize
584KB

Download
memory/792-141-0x0000000008900000-0x0000000008966000-memory.dmp

Filesize
408KB

Download
memory/792-142-0x0000000009030000-0x00000000090A6000-memory.dmp

Filesize
472KB

Download
memory/792-143-0x00000000090B0000-0x00000000090CE000-memory.dmp

Filesize
120KB

Download
memory/792-144-0x0000000009160000-0x0000000009322000-memory.dmp

Filesize
1.8MB

Download
memory/792-145-0x0000000009330000-0x000000000985C000-memory.dmp

Filesize
5.2MB

Download
memory/792-146-0x000000000323D000-0x0000000003273000-memory.dmp

Filesize
216KB

Download
memory/792-147-0x0000000000400000-0x0000000003031000-memory.dmp

Filesize
44.2MB

Download