Analysis
-
max time kernel
24s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 16:15
Behavioral task
behavioral1
Sample
ad8bad1ca3c888140a267dab3ca32f40N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ad8bad1ca3c888140a267dab3ca32f40N.exe
Resource
win10v2004-20240802-en
General
-
Target
ad8bad1ca3c888140a267dab3ca32f40N.exe
-
Size
303KB
-
MD5
ad8bad1ca3c888140a267dab3ca32f40
-
SHA1
a8455a1023ca8b83b145669036eaf7e47fd23a4b
-
SHA256
a8234940d8bae72c337c38780bbe79af9ff944282113daa64d7c18addbe019f3
-
SHA512
d9522ee93908fb8b04d00a2ae0f79776f6570387ef625e0e46ffb34d185e2e25e753438ec92ed1d39ca6bd3c9ab777397e541facb087fe84852df064dabdc0f0
-
SSDEEP
6144:15hxT6MDdbICydeBvQ26i2dVTZ867mA1D0FI6:15dY26i2vTGA1DR6
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1267879755852677195/gVzfD2x4tcYypDXASFDiRFPDc3XXIcfmVrwOtmb4OxjlfTTOMCCPvDvp3O4Y4cLpKKeR
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3068 ad8bad1ca3c888140a267dab3ca32f40N.exe 3068 ad8bad1ca3c888140a267dab3ca32f40N.exe 3068 ad8bad1ca3c888140a267dab3ca32f40N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3068 ad8bad1ca3c888140a267dab3ca32f40N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3068 wrote to memory of 568 3068 ad8bad1ca3c888140a267dab3ca32f40N.exe 28 PID 3068 wrote to memory of 568 3068 ad8bad1ca3c888140a267dab3ca32f40N.exe 28 PID 3068 wrote to memory of 568 3068 ad8bad1ca3c888140a267dab3ca32f40N.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad8bad1ca3c888140a267dab3ca32f40N.exe"C:\Users\Admin\AppData\Local\Temp\ad8bad1ca3c888140a267dab3ca32f40N.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3068 -s 10322⤵PID:568
-