ba9c201ca52eed0958ad42e1907e460c19eb0c83e901332e8061eec41e136d9e

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16/02/2023, 05:33

Target

file.exe
Size

310KB
MD5

3619425eaf78e9c5c89ed5f65ccc95e7
SHA1

12dcc2becb1c5aba2561ac3da3bca23a49072084
SHA256

ba9c201ca52eed0958ad42e1907e460c19eb0c83e901332e8061eec41e136d9e
SHA512

e6738795b984ac2328b2274ef4557370add02ad507cca2c43cef423e22ba0559d9ce51377fbfee3ea4e9ff8e02b1ba80f17db3949ae0d05ae5cc5adcc2f8abe3
SSDEEP

6144:EwULtHKxOJJegBd0lC9EH28q340ryW269nPmgAmYVCBv:E/RJJhBelV2N1JmzdCB

Score

7^/10

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4492	3372	WerFault.exe	75

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3372	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1224
  2⤵
  - Program crash
  PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3372 -ip 3372
1⤵
PID:3332

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/3372-132-0x00000000006FF000-0x000000000072C000-memory.dmp

Filesize
180KB

Download
memory/3372-133-0x00000000022C0000-0x0000000002322000-memory.dmp

Filesize
392KB

Download
memory/3372-134-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/3372-135-0x0000000004D60000-0x0000000005304000-memory.dmp

Filesize
5.6MB

Download
memory/3372-136-0x0000000005310000-0x0000000005928000-memory.dmp

Filesize
6.1MB

Download
memory/3372-137-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/3372-138-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/3372-139-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

Filesize
240KB

Download
memory/3372-140-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/3372-141-0x00000000064B0000-0x0000000006542000-memory.dmp

Filesize
584KB

Download
memory/3372-142-0x0000000006560000-0x00000000065D6000-memory.dmp

Filesize
472KB

Download
memory/3372-143-0x0000000006640000-0x0000000006802000-memory.dmp

Filesize
1.8MB

Download
memory/3372-144-0x0000000006820000-0x0000000006D4C000-memory.dmp

Filesize
5.2MB

Download
memory/3372-145-0x0000000006E50000-0x0000000006E6E000-memory.dmp

Filesize
120KB

Download
memory/3372-146-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download