Analysis
-
max time kernel
104s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2023, 22:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
7 signatures
150 seconds
General
-
Target
file.exe
-
Size
332KB
-
MD5
aa727e598ba7c5a947124cd5fd93ed6d
-
SHA1
0de18ccace13691011506ddaad4ab72a2731bce3
-
SHA256
62a2221333631de6cf65db3fa3e2650947b23f24ea172a3ea998d77baa0cb270
-
SHA512
80221cec662cc89d12993edf8b289b89a4acfa481712d3f036a2d4f9b2c4f1ebb16c0a0a02f6b12d9a7ea0a9e6e5720ff3d797835f4fd3426eac9c97238975ad
-
SSDEEP
6144:JvYd3tEPMde9vknpuXdSovd4OUHtDtUP:Jv8ckUXdpdCNDW
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2552 2796 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2796 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2796 file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 12402⤵
- Program crash
PID:2552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2796 -ip 27961⤵PID:2744