Analysis
-
max time kernel
1563s -
max time network
1568s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29-07-2024 06:41
Behavioral task
behavioral1
Sample
Loader-Nursultan-Alpha-Crack-1.16.5.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Loader-Nursultan-Alpha-Crack-1.16.5.exe
Resource
win10v2004-20240709-en
General
-
Target
Loader-Nursultan-Alpha-Crack-1.16.5.exe
-
Size
303KB
-
MD5
bce82a7d5c999458d5203188f0e0e8a1
-
SHA1
09dc59aa71789fc65c4498b80e3ff3d36fce9dfc
-
SHA256
0e01cc82039241dbd9a4c6f1f52939d32a5695352b3de5c3e93cc5a6042f88f7
-
SHA512
860bcb01c8d892649bf8a15dd7244cf1f87ca951ebefe7927269325daed82737670c8c4ba77db435d60fa34b5a9bba49145c9500e008e6fdf520002da9a809d1
-
SSDEEP
6144:ddFT6MDdbICydeBvRaifWp93duo6rmA1D0xUW:ddzJaifWz3XQ1DdW
Malware Config
Extracted
44caliber
https://discordapp.com/api/webhooks/1261126255034634252/6og2rIiqe6SUACRdn_f3T-i6qHZYEDXPnwESG5TW3Akw-m2wqAcNQNDwZl1UfusAgpnD
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Loader-Nursultan-Alpha-Crack-1.16.5.exepid process 2388 Loader-Nursultan-Alpha-Crack-1.16.5.exe 2388 Loader-Nursultan-Alpha-Crack-1.16.5.exe 2388 Loader-Nursultan-Alpha-Crack-1.16.5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Loader-Nursultan-Alpha-Crack-1.16.5.exedescription pid process Token: SeDebugPrivilege 2388 Loader-Nursultan-Alpha-Crack-1.16.5.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Loader-Nursultan-Alpha-Crack-1.16.5.exedescription pid process target process PID 2388 wrote to memory of 2000 2388 Loader-Nursultan-Alpha-Crack-1.16.5.exe WerFault.exe PID 2388 wrote to memory of 2000 2388 Loader-Nursultan-Alpha-Crack-1.16.5.exe WerFault.exe PID 2388 wrote to memory of 2000 2388 Loader-Nursultan-Alpha-Crack-1.16.5.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader-Nursultan-Alpha-Crack-1.16.5.exe"C:\Users\Admin\AppData\Local\Temp\Loader-Nursultan-Alpha-Crack-1.16.5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2388 -s 10362⤵PID:2000