8de8c3a776f67f2e1f19b184a7fb6a58442bd0283fac94dccb570d04191bfbbe

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 07:46

Target

8de8c3a776f67f2e1f19b184a7fb6a58442bd0283fac94dccb570d04191bfbbe.exe
Size

386KB
MD5

858891353acd9b34d40cf2a89b9d8794
SHA1

56cdd9381da7346b5a2ed1eb23aa1a541895ecb2
SHA256

8de8c3a776f67f2e1f19b184a7fb6a58442bd0283fac94dccb570d04191bfbbe
SHA512

eb835dc13d264d7645216e408957efef8338a5de12f69fefadf02d46c515df2e684aaf3145b9033bcede07277c66940868487e6f1ba77ac4a99375932874b450
SSDEEP

6144:FxNsLQk7MUO1hZbaId0crds2LRDxayo8B3+gWsVkw6rliWTsZQ/7:f2Mk7Ms4rdscDxayH+gdWw65MZ

Score

7^/10

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2120	628	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
628	8de8c3a776f67f2e1f19b184a7fb6a58442bd0283fac94dccb570d04191bfbbe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	8de8c3a776f67f2e1f19b184a7fb6a58442bd0283fac94dccb570d04191bfbbe.exe

C:\Users\Admin\AppData\Local\Temp\8de8c3a776f67f2e1f19b184a7fb6a58442bd0283fac94dccb570d04191bfbbe.exe
"C:\Users\Admin\AppData\Local\Temp\8de8c3a776f67f2e1f19b184a7fb6a58442bd0283fac94dccb570d04191bfbbe.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1240
  2⤵
  - Program crash
  PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 628 -ip 628
1⤵
PID:4624

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/628-134-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download
memory/628-135-0x0000000000890000-0x00000000008CE000-memory.dmp

Filesize
248KB

Download
memory/628-136-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/628-137-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/628-138-0x0000000007A60000-0x0000000008078000-memory.dmp

Filesize
6.1MB

Download
memory/628-139-0x0000000002980000-0x0000000002992000-memory.dmp

Filesize
72KB

Download
memory/628-140-0x0000000008080000-0x000000000818A000-memory.dmp

Filesize
1.0MB

Download
memory/628-141-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/628-142-0x00000000029A0000-0x00000000029DC000-memory.dmp

Filesize
240KB

Download
memory/628-143-0x0000000008370000-0x00000000083D6000-memory.dmp

Filesize
408KB

Download
memory/628-144-0x0000000008B60000-0x0000000008BF2000-memory.dmp

Filesize
584KB

Download
memory/628-145-0x0000000008C30000-0x0000000008CA6000-memory.dmp

Filesize
472KB

Download
memory/628-146-0x0000000008D20000-0x0000000008EE2000-memory.dmp

Filesize
1.8MB

Download
memory/628-147-0x0000000008EF0000-0x000000000941C000-memory.dmp

Filesize
5.2MB

Download
memory/628-148-0x0000000009520000-0x000000000953E000-memory.dmp

Filesize
120KB

Download
memory/628-150-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download