Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 10:57
Behavioral task
behavioral1
Sample
168ca225e821d31cb57c305ea2116e91.exe
Resource
win7-20231129-en
General
-
Target
168ca225e821d31cb57c305ea2116e91.exe
-
Size
281KB
-
MD5
168ca225e821d31cb57c305ea2116e91
-
SHA1
f43f6ea0e3872a51e6ae7edd5ef886b42e03cc3a
-
SHA256
5fce8b2ae18c35e41d0cc618385c27ba8ed228129d4dc1318e7260f1cd3bc542
-
SHA512
c238844f508bcd63d2930a0fb53f751bbf8bc7c031115fd4ab1efc7d4f0ddc17bbc94ab443847839df0ecd096a5fac34b4443d4f4ae09bb2bb44f2cc2c5a4b90
-
SSDEEP
3072:wdHwcyTwduBT+lNd8KzxYc6psXBbgq3QrUSzbDvmueVnqXv46tYBI+2iJOG93hIj:MMwduBylNd9tQ/HDvmueVnqXvPYBJU
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/873017348871823390/rg2sd0oyvYQHl2ZA4ewWhYWL7E3kpvZjKQOQib48rLbJztSPo_u5DDzkkCfQUnjRpZDP
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
168ca225e821d31cb57c305ea2116e91.exepid process 2964 168ca225e821d31cb57c305ea2116e91.exe 2964 168ca225e821d31cb57c305ea2116e91.exe 2964 168ca225e821d31cb57c305ea2116e91.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
168ca225e821d31cb57c305ea2116e91.exedescription pid process Token: SeDebugPrivilege 2964 168ca225e821d31cb57c305ea2116e91.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
168ca225e821d31cb57c305ea2116e91.exedescription pid process target process PID 2964 wrote to memory of 2404 2964 168ca225e821d31cb57c305ea2116e91.exe WerFault.exe PID 2964 wrote to memory of 2404 2964 168ca225e821d31cb57c305ea2116e91.exe WerFault.exe PID 2964 wrote to memory of 2404 2964 168ca225e821d31cb57c305ea2116e91.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\168ca225e821d31cb57c305ea2116e91.exe"C:\Users\Admin\AppData\Local\Temp\168ca225e821d31cb57c305ea2116e91.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2964 -s 8122⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2964-0-0x0000000000E70000-0x0000000000EBC000-memory.dmpFilesize
304KB
-
memory/2964-1-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmpFilesize
9.9MB
-
memory/2964-2-0x000000001B550000-0x000000001B5D0000-memory.dmpFilesize
512KB
-
memory/2964-20-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmpFilesize
9.9MB
-
memory/2964-21-0x000000001B550000-0x000000001B5D0000-memory.dmpFilesize
512KB