65a68201d9709f5f3d07fe60b0b693983e2480197b6d9f570b6e78e49deade24

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2023, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffb5e1089873e7f4f9e9976e927c2503.exe
Size

2.1MB
MD5

ffb5e1089873e7f4f9e9976e927c2503
SHA1

d57fc95b852ba68ad7fe44a768a8cd2879424e6f
SHA256

65a68201d9709f5f3d07fe60b0b693983e2480197b6d9f570b6e78e49deade24
SHA512

3b462c2728868408542527ae8b5de5844825bd11ef3884e361b17d8eef860f37f8b3f6a69e22cce22d2588d5123b3cabf39ebb0626c55f5383f153aa73cf6f40
SSDEEP

24576:5P+HSWxc52h9AWkdsHbf6a9DhvhcuoORqZFB8ju:N52h9AqHr6a3veuoO8FBp

Score

6^/10

spyware

Malware Config

Signatures

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 352 set thread context of 4488	352	ffb5e1089873e7f4f9e9976e927c2503.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4828	352	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe
4488	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 4488	352	ffb5e1089873e7f4f9e9976e927c2503.exe	85
PID 352 wrote to memory of 4488	352	ffb5e1089873e7f4f9e9976e927c2503.exe	85
PID 352 wrote to memory of 4488	352	ffb5e1089873e7f4f9e9976e927c2503.exe	85
PID 352 wrote to memory of 4488	352	ffb5e1089873e7f4f9e9976e927c2503.exe	85
PID 352 wrote to memory of 4488	352	ffb5e1089873e7f4f9e9976e927c2503.exe	85
PID 352 wrote to memory of 4488	352	ffb5e1089873e7f4f9e9976e927c2503.exe	85
PID 352 wrote to memory of 4488	352	ffb5e1089873e7f4f9e9976e927c2503.exe	85
PID 352 wrote to memory of 4488	352	ffb5e1089873e7f4f9e9976e927c2503.exe	85
PID 352 wrote to memory of 4488	352	ffb5e1089873e7f4f9e9976e927c2503.exe	85

C:\Users\Admin\AppData\Local\Temp\ffb5e1089873e7f4f9e9976e927c2503.exe
"C:\Users\Admin\AppData\Local\Temp\ffb5e1089873e7f4f9e9976e927c2503.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 388
  2⤵
  - Program crash
  PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 352 -ip 352
1⤵
PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4488-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4488-1-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4488-2-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4488-3-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4488-4-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4488-5-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download