Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 10:56
Behavioral task
behavioral1
Sample
d3de0412bec54446b5d1ed2c4c5f4c70N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d3de0412bec54446b5d1ed2c4c5f4c70N.exe
Resource
win10v2004-20240802-en
General
-
Target
d3de0412bec54446b5d1ed2c4c5f4c70N.exe
-
Size
303KB
-
MD5
d3de0412bec54446b5d1ed2c4c5f4c70
-
SHA1
54495a644a25c7d34dc54bea412dd5cc2a6134a2
-
SHA256
3a87cc4950e178d0d9cbdaed694c3f66eaa9188b737e77196fb7f04488de87b1
-
SHA512
b0a45b1802a029db70af34e99ebb366eae3d14abacfbc76a416f0546658144353be9f3239a2e04f8841f570183d19d0a4ac52e1d65f058d5003bf0df6097f50e
-
SSDEEP
6144:ijFT6MDdbICydeB0iG54G4S+ZoH86rmA1D0pFY:ijzQ54G4SuocQ1D4Y
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1279822438275743797/_20WkTO7p0GPrUxzs4Q2N_pDciklVwX5FNxvTPXTBG6N9rgt5NcWUwHYy3qnBKR_GZGa
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2816 d3de0412bec54446b5d1ed2c4c5f4c70N.exe 2816 d3de0412bec54446b5d1ed2c4c5f4c70N.exe 2816 d3de0412bec54446b5d1ed2c4c5f4c70N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2816 d3de0412bec54446b5d1ed2c4c5f4c70N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2096 2816 d3de0412bec54446b5d1ed2c4c5f4c70N.exe 31 PID 2816 wrote to memory of 2096 2816 d3de0412bec54446b5d1ed2c4c5f4c70N.exe 31 PID 2816 wrote to memory of 2096 2816 d3de0412bec54446b5d1ed2c4c5f4c70N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3de0412bec54446b5d1ed2c4c5f4c70N.exe"C:\Users\Admin\AppData\Local\Temp\d3de0412bec54446b5d1ed2c4c5f4c70N.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2816 -s 11962⤵PID:2096
-