6fc5b0a4d6493a1a36ce59a8a58d95426fe153be9ea34e6a2bba38d6cb66d145

Analysis

max time kernel
13s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59130a704a3bfa308d062881bf10cd33.exe
Size

249KB
MD5

59130a704a3bfa308d062881bf10cd33
SHA1

baf4dc4b7082937805022dd561e746be7fae9ef7
SHA256

6fc5b0a4d6493a1a36ce59a8a58d95426fe153be9ea34e6a2bba38d6cb66d145
SHA512

efb9e745d02a7cdba00affdc470e7b8c146d22484e1a28e83244970a8d7a720e87eef32470fc417454b669bb43cd4a482a6a1c6b00e291acf1ff6d1dc74a67c0
SSDEEP

6144:FBJMxUAs/sOmkOiyVsWge2f3zdAmgwfuCD2+1ZyL15IEjsTfZizLss:Frrz/sOmkOnsBdzdud+7yLf+r0zLf

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Program crash 1 IoCs

pid	pid_target	Process	procid_target
564	4772	WerFault.exe	16

Runs net.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 1744	4772	59130a704a3bfa308d062881bf10cd33.exe	22
PID 4772 wrote to memory of 1744	4772	59130a704a3bfa308d062881bf10cd33.exe	22
PID 4772 wrote to memory of 1744	4772	59130a704a3bfa308d062881bf10cd33.exe	22
PID 1744 wrote to memory of 3728	1744	net.exe	18
PID 1744 wrote to memory of 3728	1744	net.exe	18
PID 1744 wrote to memory of 3728	1744	net.exe	18

C:\Users\Admin\AppData\Local\Temp\59130a704a3bfa308d062881bf10cd33.exe
"C:\Users\Admin\AppData\Local\Temp\59130a704a3bfa308d062881bf10cd33.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\net.exe
  net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 692
  2⤵
  - Program crash
  PID:564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4772 -ip 4772
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4772-0-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4772-1-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4772-2-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4772-4-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4772-3-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4772-5-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4772-6-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4772-9-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download