Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2023 18:24
Static task
static1
1 signatures
General
-
Target
847355f35846ae16e0ed391cbfab69405ebd8368af26f61898ce10d4e061c4cc.exe
-
Size
386KB
-
MD5
9e8379901e9c212e9cd1088a5789660e
-
SHA1
287ba566bd1d8f168af90f4fedf42d0d7636437e
-
SHA256
847355f35846ae16e0ed391cbfab69405ebd8368af26f61898ce10d4e061c4cc
-
SHA512
1d959fcb0930e335a29549b7ecbd6ef35a404d5c358050d419001bf5ae313f87516b35b5be7dddd5ce30cc53626ee5b88cc28f98bdc91f25952b4c29783d49dd
-
SSDEEP
6144:AvWK5gX4WJGPgsULzyvMpSZETl/7AFSGOe:AOKyjAPFCzl50FSG
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 1 IoCs
pid pid_target Process procid_target 3796 2160 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2160 847355f35846ae16e0ed391cbfab69405ebd8368af26f61898ce10d4e061c4cc.exe 2160 847355f35846ae16e0ed391cbfab69405ebd8368af26f61898ce10d4e061c4cc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2160 847355f35846ae16e0ed391cbfab69405ebd8368af26f61898ce10d4e061c4cc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\847355f35846ae16e0ed391cbfab69405ebd8368af26f61898ce10d4e061c4cc.exe"C:\Users\Admin\AppData\Local\Temp\847355f35846ae16e0ed391cbfab69405ebd8368af26f61898ce10d4e061c4cc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 19242⤵
- Program crash
PID:3796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2160 -ip 21601⤵PID:4604