Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2023 10:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c30feb6c9c747d590d77ccfa1e15d719.exe
Resource
win7-20230712-en
5 signatures
150 seconds
General
-
Target
c30feb6c9c747d590d77ccfa1e15d719.exe
-
Size
385KB
-
MD5
c30feb6c9c747d590d77ccfa1e15d719
-
SHA1
a25c36f12ecfa778f0d93ee625dc9bf7b341078a
-
SHA256
a85e18b20a3a73f084789d9d4b4a8d140e7d4c85b60b0741b585510cfec89df4
-
SHA512
37498207c637bab33f5d64c41279c3fb6af830c573170a53efcbfa07dc26d2f1a599dd7ebec7a8c767c4533d1a7fd3858944e79d6eb54c006ce894fcf9dbe96f
-
SSDEEP
6144:d4qo+62RpmrofFTIEuz30y8tt7ma+TkocdI7dc1r:dZJ62Rm2TIEU3W7maKkocWu
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 1 IoCs
pid pid_target Process procid_target 2212 3776 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3776 c30feb6c9c747d590d77ccfa1e15d719.exe 3776 c30feb6c9c747d590d77ccfa1e15d719.exe 3776 c30feb6c9c747d590d77ccfa1e15d719.exe 3776 c30feb6c9c747d590d77ccfa1e15d719.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3776 c30feb6c9c747d590d77ccfa1e15d719.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c30feb6c9c747d590d77ccfa1e15d719.exe"C:\Users\Admin\AppData\Local\Temp\c30feb6c9c747d590d77ccfa1e15d719.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 12802⤵
- Program crash
PID:2212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3776 -ip 37761⤵PID:1240