Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2023 09:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1e9bdbabd0a6e1065ad0c87c56d1300.exe
Resource
win7-20230712-en
18 signatures
150 seconds
General
-
Target
a1e9bdbabd0a6e1065ad0c87c56d1300.exe
-
Size
384KB
-
MD5
a1e9bdbabd0a6e1065ad0c87c56d1300
-
SHA1
6228d0b77e7a646f3080fffdf1e547a1cea8bfd2
-
SHA256
0e9ebffdac31f5df08227a8cf888c9ae92429fbb2a26ff285d3ce24e231a65bd
-
SHA512
84e00c71221f85245dc96c054a4e3a27a40fefb489d71834310a5f2622fc798db00ca15fc38b7d004daa76ad466729deb3c007a6941fa391888552de06c794c0
-
SSDEEP
6144:mHD512cGAw1hen2wHco0NP/WUH5GXzHcZmZa:mjP2cG51hYTHf09n5GD8QA
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 1 IoCs
pid pid_target Process procid_target 3744 2484 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2484 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 2484 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 2484 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 2484 a1e9bdbabd0a6e1065ad0c87c56d1300.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2484 a1e9bdbabd0a6e1065ad0c87c56d1300.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1e9bdbabd0a6e1065ad0c87c56d1300.exe"C:\Users\Admin\AppData\Local\Temp\a1e9bdbabd0a6e1065ad0c87c56d1300.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 19322⤵
- Program crash
PID:3744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2484 -ip 24841⤵PID:4584