Analysis

  • max time kernel
    132s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 18:01

General

  • Target

    0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe

  • Size

    534KB

  • MD5

    9c228ed564048e4a55675a5f8737343c

  • SHA1

    1372f5eb3f33c2960b0a1ae3e01d171e3544f0ed

  • SHA256

    0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af

  • SHA512

    ff0629ead32c70fb3707c887ac982de001e630e9ea5a029dacc49b0a57213de0da1da66097612b19e692eb6a4bc4ee1f253fb9339439fcf6bd7e3dd3b25320d0

  • SSDEEP

    12288:jSUh1yUg6NkHp7x/FP1WVCYni/dKP6MJpxGnRbbe:jJh1yS67dLUi/Spxqm

Malware Config

Signatures

  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Program crash 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe
    "C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 672
      2⤵
      • Program crash
      PID:1516
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 688
      2⤵
      • Program crash
      PID:4680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 480
      2⤵
      • Program crash
      PID:4788
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 856
      2⤵
      • Program crash
      PID:4764
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 876
      2⤵
      • Program crash
      PID:4944
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 856
      2⤵
      • Program crash
      PID:4920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 536
      2⤵
      • Program crash
      PID:2172
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1084
      2⤵
      • Program crash
      PID:8
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1124
      2⤵
      • Program crash
      PID:4244
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\0666f4e14a01a85d07cd530529b8fdc98883c7506c0f7ab02951d675e5fbe2af.exe"
      2⤵
        PID:2124
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1348
        2⤵
        • Program crash
        PID:4924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1112 -ip 1112
      1⤵
        PID:4104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1112 -ip 1112
        1⤵
          PID:2284
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1112 -ip 1112
          1⤵
            PID:4820
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1112 -ip 1112
            1⤵
              PID:4804
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1112 -ip 1112
              1⤵
                PID:2200
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1112 -ip 1112
                1⤵
                  PID:4256
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1112 -ip 1112
                  1⤵
                    PID:1544
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1112 -ip 1112
                    1⤵
                      PID:1884
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1112 -ip 1112
                      1⤵
                        PID:556
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1112 -ip 1112
                        1⤵
                          PID:344

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/1112-132-0x00000000009E3000-0x0000000000A49000-memory.dmp

                          Filesize

                          408KB

                        • memory/1112-133-0x0000000000920000-0x00000000009CE000-memory.dmp

                          Filesize

                          696KB

                        • memory/1112-134-0x0000000000400000-0x000000000087F000-memory.dmp

                          Filesize

                          4.5MB

                        • memory/1112-135-0x0000000000400000-0x000000000087F000-memory.dmp

                          Filesize

                          4.5MB

                        • memory/1112-137-0x0000000000400000-0x000000000087F000-memory.dmp

                          Filesize

                          4.5MB