Analysis
-
max time kernel
120s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
04-11-2021 06:17
Static task
static1
General
-
Target
13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe
-
Size
1.4MB
-
MD5
c55a782fb3152c45d4d4944539b5f4ea
-
SHA1
6013dbd7b11390ace1283a402e77e9ef751c4c10
-
SHA256
13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68
-
SHA512
17ac501d7828573a9b7f8eab837392104ca606cc1567bcd1b93a6ead9bfd026fe15eb79a202754fc2d0c548a35ee5a99a737cb1d8e8810b81f7ef03cb8aa4c90
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 1288 taskkill.exe -
Processes:
13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exetaskkill.exedescription pid Process Token: SeCreateTokenPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeAssignPrimaryTokenPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeLockMemoryPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeIncreaseQuotaPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeMachineAccountPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeTcbPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeSecurityPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeTakeOwnershipPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeLoadDriverPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeSystemProfilePrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeSystemtimePrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeProfSingleProcessPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeIncBasePriorityPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeCreatePagefilePrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeCreatePermanentPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeBackupPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeRestorePrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeShutdownPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeDebugPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeAuditPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeSystemEnvironmentPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeChangeNotifyPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeRemoteShutdownPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeUndockPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeSyncAgentPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeEnableDelegationPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeManageVolumePrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeImpersonatePrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeCreateGlobalPrivilege 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: 31 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: 32 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: 33 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: 34 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: 35 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe Token: SeDebugPrivilege 1288 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.execmd.exedescription pid Process procid_target PID 3080 wrote to memory of 2324 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe 69 PID 3080 wrote to memory of 2324 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe 69 PID 3080 wrote to memory of 2324 3080 13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe 69 PID 2324 wrote to memory of 1288 2324 cmd.exe 71 PID 2324 wrote to memory of 1288 2324 cmd.exe 71 PID 2324 wrote to memory of 1288 2324 cmd.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe"C:\Users\Admin\AppData\Local\Temp\13fedbb86566c03188cd4038d76837752e17af71055ccc91ff625ff35f532d68.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-