847e253f107811d287f3d69a5e8b6789a3658fbad6a4adf353bead12d80e0dd4

Analysis

max time kernel
30s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-03-2023 12:40

Target

5636145ced6e73f725835d37f75395017a69a860236a01195dc4b11bdc2be021.dll
Size

1.0MB
MD5

2cf7028f2e221b5c48ce27381282d7ae
SHA1

b24556b48cc4cf9641448d87d9c1ee7f9af86c5a
SHA256

5636145ced6e73f725835d37f75395017a69a860236a01195dc4b11bdc2be021
SHA512

84772a961ab244bedc49bcf6825971a24969fbe3a45f0f6e3d26aaba8db400368637f3d80270a117891dc6df127e3f75763079aa8635ff47bbc24fe67ea22bb3
SSDEEP

24576:JMq/RX0hoa8wrC+azFbtZhUYFauTZyRMlH:Jioa8wrCHz3ZhUYRAuH

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1696	1148	WerFault.exe	11

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1696	1148	rundll32.exe	27
PID 1148 wrote to memory of 1696	1148	rundll32.exe	27
PID 1148 wrote to memory of 1696	1148	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5636145ced6e73f725835d37f75395017a69a860236a01195dc4b11bdc2be021.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1148 -s 320
  2⤵
  - Program crash
  PID:1696

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact