Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 05:19
Behavioral task
behavioral1
Sample
bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe
Resource
win10v2004-20240802-en
General
-
Target
bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe
-
Size
303KB
-
MD5
74d3f720e38b834198fee67e020bb736
-
SHA1
5fab6ccb0748a2de502b877c34d2409b1118bd30
-
SHA256
bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1
-
SHA512
f4ae410699ba0a4cc21fa946e51f5364ab13ac176627509a346bcb7924ae76b23149ba78f643211d64bc59d7eef81d304b477b3310d09eb797c07afdddee0277
-
SSDEEP
6144:b1E0T6MDdbICydeB1MnyCvG/9GzC6jmA1D0Lyf:b1z6yCvGFG+Y1D1f
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1254423260591030333/Im8Y-IPgPJTWTloM0jy_llzrxAFZLtGLTGrSJEpTfiSbOm4QV3WSBgCXN7xBYLC5ajH9
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exepid process 976 bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe 976 bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe 976 bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exedescription pid process Token: SeDebugPrivilege 976 bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exedescription pid process target process PID 976 wrote to memory of 2576 976 bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe WerFault.exe PID 976 wrote to memory of 2576 976 bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe WerFault.exe PID 976 wrote to memory of 2576 976 bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe"C:\Users\Admin\AppData\Local\Temp\bc3a66a87018863d22a6a7a9afd15f0af5499d021f0ede01466011e0a64a0ce1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 976 -s 10722⤵PID:2576