Analysis
-
max time kernel
132s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 18:01
Static task
static1
Behavioral task
behavioral1
Sample
0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
Resource
win10v2004-20220812-en
General
-
Target
0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
-
Size
534KB
-
MD5
9c228ed564048e4a55675a5f8737343c
-
SHA1
1372f5eb3f33c2960b0a1ae3e01d171e3544f0ed
-
SHA256
0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af
-
SHA512
ff0629ead32c70fb3707c887ac982de001e630e9ea5a029dacc49b0a57213de0da1da66097612b19e692eb6a4bc4ee1f253fb9339439fcf6bd7e3dd3b25320d0
-
SSDEEP
12288:jSUh1yUg6NkHp7x/FP1WVCYni/dKP6MJpxGnRbbe:jJh1yS67dLUi/Spxqm
Malware Config
Signatures
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 10 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1516 1112 WerFault.exe 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 4680 1112 WerFault.exe 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 4788 1112 WerFault.exe 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 4764 1112 WerFault.exe 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 4944 1112 WerFault.exe 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 4920 1112 WerFault.exe 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 2172 1112 WerFault.exe 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 8 1112 WerFault.exe 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 4244 1112 WerFault.exe 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 4924 1112 WerFault.exe 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exepid process 1112 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe 1112 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exedescription pid process target process PID 1112 wrote to memory of 2124 1112 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe cmd.exe PID 1112 wrote to memory of 2124 1112 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe cmd.exe PID 1112 wrote to memory of 2124 1112 0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe"C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 6722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 6882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 4802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 8562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 8762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 8562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 10842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 11242⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.execmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 13482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1112 -ip 11121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1112 -ip 11121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1112 -ip 11121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1112 -ip 11121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1112 -ip 11121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1112 -ip 11121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1112 -ip 11121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1112 -ip 11121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1112 -ip 11121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1112 -ip 11121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-132-0x00000000009E3000-0x0000000000A49000-memory.dmpFilesize
408KB
-
memory/1112-133-0x0000000000920000-0x00000000009CE000-memory.dmpFilesize
696KB
-
memory/1112-134-0x0000000000400000-0x000000000087F000-memory.dmpFilesize
4.5MB
-
memory/1112-135-0x0000000000400000-0x000000000087F000-memory.dmpFilesize
4.5MB
-
memory/1112-137-0x0000000000400000-0x000000000087F000-memory.dmpFilesize
4.5MB
-
memory/2124-136-0x0000000000000000-mapping.dmp