e970942c5534c9f775ea33b6727c69e6d1b355af4226841f857093fdbb36ceb2

Analysis

max time kernel
3s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Foxit_Reader_2_key_generator.exe
Size

211KB
MD5

b865fa4cecd2783a0ad5d7438bb3e5fd
SHA1

67e453143b3a5eb198590d771d33b8348f4176e6
SHA256

6fe5069400993d3162915ddfdc56f7887a6ab18292e9e6289efee15cb825933b
SHA512

83bbefe8d9f399e249a1ba98b0429e7e324b6634615b9da461e6dc87684aab43af919a5dccfd3207843a4e9839817e4c18e9c55448df3716d50e6c66ea8c11e3
SSDEEP

3072:eJTXsvgyRd34yQdKSmK6U7/K9VXKnSQkeVbyKro3nUIjRlRbcB:exs4w34vdB5/2mHNyOoEIjR3oB

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1836 4472 WerFault.exe Foxit_Reader_2_key_generator.exe

pid	pid_target	process	target process
1836	4472	WerFault.exe	Foxit_Reader_2_key_generator.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Foxit_Reader_2_key_generator.exe

pid	process
4472	Foxit_Reader_2_key_generator.exe
4472	Foxit_Reader_2_key_generator.exe
4472	Foxit_Reader_2_key_generator.exe
4472	Foxit_Reader_2_key_generator.exe
4472	Foxit_Reader_2_key_generator.exe
4472	Foxit_Reader_2_key_generator.exe
4472	Foxit_Reader_2_key_generator.exe
4472	Foxit_Reader_2_key_generator.exe

C:\Users\Admin\AppData\Local\Temp\Foxit_Reader_2_key_generator.exe
"C:\Users\Admin\AppData\Local\Temp\Foxit_Reader_2_key_generator.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 628
2⤵
- Program crash
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4472 -ip 4472
1⤵
PID:3336

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4472-0-0x00000000006A0000-0x00000000006FA000-memory.dmp

Filesize
360KB

Download
memory/4472-1-0x00000000006A0000-0x00000000006FA000-memory.dmp

Filesize
360KB

Download