Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
04-11-2021 06:21
Static task
static1
General
-
Target
9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe
-
Size
1.4MB
-
MD5
f38c8c90743382f4fde6804c5e40d941
-
SHA1
868ca3b3add71be886e7dc314f2e16e11acbd608
-
SHA256
9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b
-
SHA512
a27328777827672285735b52938f41d2ea1989094ea7e462c372fc94d7e6e3f80e69e4f6afda0eb421f5de66254d20da7a465204fda8ee41b40a9cfb4c8a87fa
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1056 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeAssignPrimaryTokenPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeLockMemoryPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeIncreaseQuotaPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeMachineAccountPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeTcbPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeSecurityPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeTakeOwnershipPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeLoadDriverPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeSystemProfilePrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeSystemtimePrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeProfSingleProcessPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeIncBasePriorityPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeCreatePagefilePrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeCreatePermanentPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeBackupPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeRestorePrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeShutdownPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeDebugPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeAuditPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeSystemEnvironmentPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeChangeNotifyPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeRemoteShutdownPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeUndockPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeSyncAgentPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeEnableDelegationPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeManageVolumePrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeImpersonatePrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeCreateGlobalPrivilege 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: 31 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: 32 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: 33 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: 34 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: 35 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe Token: SeDebugPrivilege 1056 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3132 wrote to memory of 604 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe 68 PID 3132 wrote to memory of 604 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe 68 PID 3132 wrote to memory of 604 3132 9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe 68 PID 604 wrote to memory of 1056 604 cmd.exe 70 PID 604 wrote to memory of 1056 604 cmd.exe 70 PID 604 wrote to memory of 1056 604 cmd.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe"C:\Users\Admin\AppData\Local\Temp\9bdac78eed506499e93fd38b1d48879ef9c6667e21a88b6c4e3cae1ebfc5548b.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-