Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 20:37
Behavioral task
behavioral1
Sample
Cheat 0x кряк/0x launcher.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Cheat 0x кряк/0x launcher.exe
Resource
win10v2004-20240802-en
General
-
Target
Cheat 0x кряк/0x launcher.exe
-
Size
303KB
-
MD5
556ee735d703fc329a6463e5a042dc43
-
SHA1
faaaf05975a679668feec76c7b4602a8c7b6b6fb
-
SHA256
7bca2a9913e523e2c46ae6b50cfc9f7d687ec8ca9a3e9034f82531020ddec423
-
SHA512
b0e7510b558f7cc65690accf5f8fa8617d58c1e9650e2426f10d1d733487dd155e439420847d6526479584003a5b20affbbe7a2644604cc0108e02399d324b69
-
SSDEEP
6144:F5hxT6MDdbICydeBvQ26i2dVTZ86rmA1D0oVr:F5dY26i2vTGQ1DVr
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1275107356367388704/roqjMlMySpW-zLEdW4HEDDUN7HAzi90wBYpi5xr98pNekoem7ifN6jBJOTc9aGHL1SDD
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2272 0x launcher.exe 2272 0x launcher.exe 2272 0x launcher.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2272 0x launcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2836 2272 0x launcher.exe 30 PID 2272 wrote to memory of 2836 2272 0x launcher.exe 30 PID 2272 wrote to memory of 2836 2272 0x launcher.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cheat 0x кряк\0x launcher.exe"C:\Users\Admin\AppData\Local\Temp\Cheat 0x кряк\0x launcher.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2272 -s 9242⤵PID:2836
-