Analysis
-
max time kernel
90s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2023, 15:02
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
7 signatures
150 seconds
General
-
Target
file.exe
-
Size
458KB
-
MD5
68e892ef20821886a2cd3e8572fde632
-
SHA1
2ba067d806b05913df4dd32c6606690b7b58f53f
-
SHA256
6d1de9c86cf49e38d6bbac7f2b1cec4486e70c32435d5069a40ed04847db2a7e
-
SHA512
1a6e4597024c8daf3ff2a3f9344e5268c8a89151592e3703eb0617871a91493c69eca18742c5854506d93913f97836a819d4625d5e387340ba27bbb3f6074ea9
-
SSDEEP
12288:GkbWj9iO5e1IrIwBUwZHmcCH3uC696++gb:GYWj9zY0ZUimp3p6r+q
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 628 3312 WerFault.exe 61 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3312 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3312 file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 19002⤵
- Program crash
PID:628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3312 -ip 33121⤵PID:208