Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2023 12:30
Static task
static1
1 signatures
General
-
Target
f2f958748ed4e2ea045ea199926e77a82a7b17c801d9709ad1d485a77232c901.exe
-
Size
373KB
-
MD5
190a88a1c4798d1dc166375d2fadb207
-
SHA1
71c62bb7dbd18b8093942fb8f9b4eb4d596e3efe
-
SHA256
f2f958748ed4e2ea045ea199926e77a82a7b17c801d9709ad1d485a77232c901
-
SHA512
b6616a5f81e679cb174a8332d50023061732700e5aebb8d65594f9626948dc2d69bbba770915902f8eabda9974ba94354d9802eb980664a5c85557047498b4a9
-
SSDEEP
6144:CmpwvuLvSGltwuaf2Zu1UOrTiBpDBBI8uI3W0CLp11:BWvuj3HPJmb2pDPIlp
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2172 2200 WerFault.exe 82 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2200 f2f958748ed4e2ea045ea199926e77a82a7b17c801d9709ad1d485a77232c901.exe 2200 f2f958748ed4e2ea045ea199926e77a82a7b17c801d9709ad1d485a77232c901.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2200 f2f958748ed4e2ea045ea199926e77a82a7b17c801d9709ad1d485a77232c901.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2f958748ed4e2ea045ea199926e77a82a7b17c801d9709ad1d485a77232c901.exe"C:\Users\Admin\AppData\Local\Temp\f2f958748ed4e2ea045ea199926e77a82a7b17c801d9709ad1d485a77232c901.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 12802⤵
- Program crash
PID:2172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2200 -ip 22001⤵PID:2512