Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 09:56
Behavioral task
behavioral1
Sample
66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe
Resource
win10v2004-20240802-en
General
-
Target
66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe
-
Size
303KB
-
MD5
f5a2f1da8fcc5e51cc8eec426fa3e545
-
SHA1
da3c79d8d5e6584d3adbd71912291d18681ee109
-
SHA256
66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9
-
SHA512
ea3f4b03b149f97e500679d0667b5c1c7b66db242ef27c8520f4b86a5e706ca8424d49ec154cebe90ec1643bbe1a4c5f5e82261ec5f77137e408e8428bc13ec9
-
SSDEEP
6144:HtBuT6MDdbICydeBPKqCBu19FsN6LmA1D0CKU:HtaSqCBu/Few1DUU
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1259819169050923028/FgFc46vkD5YoeeRf3p_mErGG96JCipzz-kU6-Gb301GlKvAaNpgaDswVn7i9JLTzy5-c
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exepid process 448 66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe 448 66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe 448 66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exedescription pid process Token: SeDebugPrivilege 448 66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exedescription pid process target process PID 448 wrote to memory of 2704 448 66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe WerFault.exe PID 448 wrote to memory of 2704 448 66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe WerFault.exe PID 448 wrote to memory of 2704 448 66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe"C:\Users\Admin\AppData\Local\Temp\66c68a3d95d231010e91deed9676b68a529955d8cd44e41fd6dc55a19143acb9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 448 -s 11922⤵PID:2704