Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 12:16
Behavioral task
behavioral1
Sample
0c3d8832405d8d7f4a04d73def58a210N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0c3d8832405d8d7f4a04d73def58a210N.exe
Resource
win10v2004-20240802-en
General
-
Target
0c3d8832405d8d7f4a04d73def58a210N.exe
-
Size
303KB
-
MD5
0c3d8832405d8d7f4a04d73def58a210
-
SHA1
b0016f87a778266044a9ae936016a20f96a01908
-
SHA256
8658029f6b2cd3a3b910b93268f32310569f2822d09c3e0e4a620a4898f234d1
-
SHA512
78b4759c0a6c926a82fbe1f7dc964776b4823d62765b54188507b83303398c283902bb50ced34a62988b92ac8ac704e122d7b84da3fde203761034860df0c9c5
-
SSDEEP
6144:TFcT6MDdbICydeBvtCikGW9KJj6bmA1D0i6c:TFK1CikGeK5g1DUc
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1274733479803879525/t1lC-nq9RKFCwLmKBFLxp6j0oVIQKItj_zI_ZKLQrseJqINyeQd10azRTTLtAgEBdWsb
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2096 0c3d8832405d8d7f4a04d73def58a210N.exe 2096 0c3d8832405d8d7f4a04d73def58a210N.exe 2096 0c3d8832405d8d7f4a04d73def58a210N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2096 0c3d8832405d8d7f4a04d73def58a210N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2556 2096 0c3d8832405d8d7f4a04d73def58a210N.exe 30 PID 2096 wrote to memory of 2556 2096 0c3d8832405d8d7f4a04d73def58a210N.exe 30 PID 2096 wrote to memory of 2556 2096 0c3d8832405d8d7f4a04d73def58a210N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c3d8832405d8d7f4a04d73def58a210N.exe"C:\Users\Admin\AppData\Local\Temp\0c3d8832405d8d7f4a04d73def58a210N.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2096 -s 10442⤵PID:2556
-