518af0c342abeae63a11c907605380199a0b6f344a93713e05d1efeada57a3ff

Analysis

max time kernel
72s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 12:00

Target

518af0c342abeae63a11c907605380199a0b6f344a93713e05d1efeada57a3ff.exe
Size

400KB
MD5

9c88149795222b21389b93b69edcc3c7
SHA1

ec277b865f788289b731a5cc8dc80a7cb2b551ba
SHA256

518af0c342abeae63a11c907605380199a0b6f344a93713e05d1efeada57a3ff
SHA512

6595502b273bd96ec16c52cf920e10c526a26ae4d854640742ad94780b44bfb3d496b56d7567362ce78bada3bf39398d95f617cb813f6add48e0d837550d2c7d
SSDEEP

6144:poXL3apNcz6ztuFOO2N+keTg0ZP1twYGBB9/CJTk637eQfnd5VphB:QDqJztQ2AkeM0Z6v9CJb7d5V

Score

7^/10

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4296	4876	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4876	518af0c342abeae63a11c907605380199a0b6f344a93713e05d1efeada57a3ff.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	518af0c342abeae63a11c907605380199a0b6f344a93713e05d1efeada57a3ff.exe

C:\Users\Admin\AppData\Local\Temp\518af0c342abeae63a11c907605380199a0b6f344a93713e05d1efeada57a3ff.exe
"C:\Users\Admin\AppData\Local\Temp\518af0c342abeae63a11c907605380199a0b6f344a93713e05d1efeada57a3ff.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1156
  2⤵
  - Program crash
  PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4876 -ip 4876
1⤵
PID:604

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/4876-132-0x00000000004CE000-0x00000000004FC000-memory.dmp

Filesize
184KB

Download
memory/4876-133-0x00000000005F0000-0x000000000063B000-memory.dmp

Filesize
300KB

Download
memory/4876-134-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4876-135-0x0000000004BF0000-0x0000000005194000-memory.dmp

Filesize
5.6MB

Download
memory/4876-136-0x00000000058F0000-0x0000000005F08000-memory.dmp

Filesize
6.1MB

Download
memory/4876-137-0x0000000007840000-0x000000000794A000-memory.dmp

Filesize
1.0MB

Download
memory/4876-138-0x00000000079A0000-0x00000000079B2000-memory.dmp

Filesize
72KB

Download
memory/4876-139-0x00000000079C0000-0x00000000079FC000-memory.dmp

Filesize
240KB

Download
memory/4876-140-0x0000000008590000-0x00000000085F6000-memory.dmp

Filesize
408KB

Download
memory/4876-141-0x0000000008880000-0x0000000008912000-memory.dmp

Filesize
584KB

Download
memory/4876-142-0x00000000004CE000-0x00000000004FC000-memory.dmp

Filesize
184KB

Download
memory/4876-143-0x0000000008A50000-0x0000000008C12000-memory.dmp

Filesize
1.8MB

Download
memory/4876-144-0x0000000008E30000-0x000000000935C000-memory.dmp

Filesize
5.2MB

Download
memory/4876-145-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download