70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655

General

Target

70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe
Size

3.1MB
MD5

cd12cb026f70700b6d7d3122360c52e8
SHA1

b944514f2b56e27a9b5e26316f72fd9fec8aa94c
SHA256

70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655
SHA512

6e9c3d683dbf9e16ae868ceb3078dffe330b7b81f50de204aab5d10d3b3baede98853b7f4f9fd2e871d6aa439716c9b6c0cef416478845954a7a08d8efe71f19
SSDEEP

49152:T5wh59b5nEKS6JKokJL06d4vD9GJjq/5qS3mynxdD4/7AQxDy:TUnuxBzd1IgYmoIfD

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1484	1340	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
984	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	984	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe

description	pid	Process	procid_target
PID 1340 wrote to memory of 984	1340	70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe	29
PID 1340 wrote to memory of 984	1340	70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe	29
PID 1340 wrote to memory of 984	1340	70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe	29
PID 1340 wrote to memory of 1484	1340	70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe	31
PID 1340 wrote to memory of 1484	1340	70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe	31
PID 1340 wrote to memory of 1484	1340	70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe	31

C:\Users\Admin\AppData\Local\Temp\70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe
"C:\Users\Admin\AppData\Local\Temp\70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1340 -s 1088
  2⤵
  - Program crash
  PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2045.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5SqELv0pLKoGRp6qilcrOZfduooJd\sensfiles.zip

Filesize
2.8MB

MD5
05a521640b5e2d06a94c2697010e927a

SHA1
e28139503b338323a5e60ca46fe62f3f38fd4f1b

SHA256
c266a2872180440c1bf08e0e0e9f58ff7ebaff66bc53d6725487b633689c24e3

SHA512
b65a0d6d20a831d15de8219ca985277b8bbcee7f82ee6c6f657773f15a75845e7fd6596f72e947959317b2bb6734b1603dccd7a82140c126e8e64580c5d86917

Download Submit
C:\Users\Admin\AppData\Local\Temp\google_default_login_data

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\google_default_webdata

Filesize
92KB

MD5
69b8d13c4e4ec564e98ce44cf52a904e

SHA1
299f30cf457794a5310b3604ce074c46b7dba353

SHA256
d1dadcd3e1ed1693374068e92062c18d9136295d7b4685f6e564e92242a21905

SHA512
4bf2906b5dc87483f479de4a4a180193085e35a615f537c2900498b40a90d7f1af81a7dfb79182dd8793b9fda51dc210834cc2cdacdac34f73f19344c505096c

Download Submit
C:\Users\Admin\AppData\Local\Temp\google_network_cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
memory/984-95-0x000000001B100000-0x000000001B3E2000-memory.dmp

Filesize
2.9MB

Download
memory/984-96-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/984-97-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/984-98-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/984-99-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads