Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-08-2024 22:04
Behavioral task
behavioral1
Sample
53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe
Resource
win10v2004-20240802-en
General
-
Target
53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe
-
Size
303KB
-
MD5
3d3676c2d36ed1af59c1815af1f74058
-
SHA1
fc384ba05ea668dfba796b14c34e6056fd0f94b8
-
SHA256
53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6
-
SHA512
3cc2c941082ee926efaa0cb015785321b4090e41abfdcfe7e6484ee414498e0fd6f46ceaee86110795ea6fec5e6456d46d4e6b8d65cbf58e635d1daf0f673fdc
-
SSDEEP
6144:HrzRT6MDdbICydeB7qgGWSlZNaW61mA1D0EfC:HrT2gGWSjNPq1D3C
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1131711873008549938/QPUFf0SJyyBKkmbeY9YgkuN6uIphQMrfHrESgo7LDLk9M-ZHEC2H2R-LmRpRgJMYG97X
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1348 53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe 1348 53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe 1348 53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1348 53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1348 wrote to memory of 2648 1348 53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe 31 PID 1348 wrote to memory of 2648 1348 53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe 31 PID 1348 wrote to memory of 2648 1348 53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe"C:\Users\Admin\AppData\Local\Temp\53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1348 -s 11762⤵PID:2648
-