82c5ff411b11be633c9b26bf025d1869476e6f1ba64c9621c74a8413d2ecb84d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a40d274ecc79f3ce1037f0f1f02f5e6a.exe
Size

217KB
MD5

a40d274ecc79f3ce1037f0f1f02f5e6a
SHA1

d2d9ab91950b93c2ffb862681833e3a891f6e95f
SHA256

82c5ff411b11be633c9b26bf025d1869476e6f1ba64c9621c74a8413d2ecb84d
SHA512

ff9c2957fe967c6da995fe42826a1e162ab939ce705e662194f40a1561675ed90f9b1f5d27d5055ce6c9ad57a7a46f6d7d340678dc2412dc673142b6c8003150
SSDEEP

3072:wz+IxKLwtNVwygQvtaiipH2V6zBcUqpBR9rDUrsIprub9ZrkRGnUCrF7vnAim7fG:wz+3EbTQiiLEPEwUyb9CRGthvbOqLFN

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2200	a40d274ecc79f3ce1037f0f1f02f5e6a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	a40d274ecc79f3ce1037f0f1f02f5e6a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 240	2200	a40d274ecc79f3ce1037f0f1f02f5e6a.exe	29
PID 2200 wrote to memory of 240	2200	a40d274ecc79f3ce1037f0f1f02f5e6a.exe	29
PID 2200 wrote to memory of 240	2200	a40d274ecc79f3ce1037f0f1f02f5e6a.exe	29

C:\Users\Admin\AppData\Local\Temp\a40d274ecc79f3ce1037f0f1f02f5e6a.exe
"C:\Users\Admin\AppData\Local\Temp\a40d274ecc79f3ce1037f0f1f02f5e6a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2200 -s 1364
  2⤵
  PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC42.tmp

Filesize
129KB

MD5
1f080c6fb2af1177acbed0d374a7b9b6

SHA1
2a2419dcde20bdcd1f5b8ff671d12758cc810aee

SHA256
6a1936c04d84c0f321cd6954e01777f5d428ba4b321fe8210d289d5d37bdebd7

SHA512
116053187aa3b873e6df7c55c899702e8a9994aca09a1298da0da363d18088e80de8346cb79c7b529dd127d46631452bd9c03bbb1b2b9839ece8cdbef0207909

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC55.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7A.tmp

Filesize
92KB

MD5
d5ee43d2a25c2370159327c951da3f57

SHA1
11b76c32e3a08381101d597187e3c96788659025

SHA256
c66200d56aced972e2dd7d63f73c12d0e7f575827ea54f83ac66a37f832234ed

SHA512
8108a4bcde1fed31b7ae863510e4705ad74c934a53e42dbd51cad8701c4a272af939e38076904dc7941dcbfd57aa60152798250af34696c196171a465fb5a1dd

Download Submit
memory/2200-0-0x0000000001380000-0x00000000013BE000-memory.dmp

Filesize
248KB

Download
memory/2200-1-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-2-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download
memory/2200-3-0x0000000000390000-0x00000000003CA000-memory.dmp

Filesize
232KB

Download
memory/2200-4-0x0000000000160000-0x0000000000166000-memory.dmp

Filesize
24KB

Download
memory/2200-5-0x000000001AF80000-0x000000001B000000-memory.dmp

Filesize
512KB

Download
memory/2200-114-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-115-0x000000001AF80000-0x000000001B000000-memory.dmp

Filesize
512KB

Download