Analysis
-
max time kernel
116s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
04-11-2021 06:25
Static task
static1
General
-
Target
65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe
-
Size
1.4MB
-
MD5
0d30d3d3cb5eadf25112c28aeca217b4
-
SHA1
4d6736328111892491982d5fcd1189a31dc54cdc
-
SHA256
65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3
-
SHA512
da4fd3e15835640fb8e33a4f36805ee5fab83897092469dfb5d590362e8f895b89022899af8baaa22c6d8932ab3f03cc3060f2f60f83d884e0e3253efa259a95
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 1328 taskkill.exe -
Processes:
65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exetaskkill.exedescription pid Process Token: SeCreateTokenPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeAssignPrimaryTokenPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeLockMemoryPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeIncreaseQuotaPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeMachineAccountPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeTcbPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeSecurityPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeTakeOwnershipPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeLoadDriverPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeSystemProfilePrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeSystemtimePrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeProfSingleProcessPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeIncBasePriorityPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeCreatePagefilePrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeCreatePermanentPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeBackupPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeRestorePrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeShutdownPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeDebugPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeAuditPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeSystemEnvironmentPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeChangeNotifyPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeRemoteShutdownPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeUndockPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeSyncAgentPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeEnableDelegationPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeManageVolumePrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeImpersonatePrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeCreateGlobalPrivilege 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: 31 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: 32 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: 33 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: 34 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: 35 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe Token: SeDebugPrivilege 1328 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.execmd.exedescription pid Process procid_target PID 3924 wrote to memory of 2320 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe 68 PID 3924 wrote to memory of 2320 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe 68 PID 3924 wrote to memory of 2320 3924 65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe 68 PID 2320 wrote to memory of 1328 2320 cmd.exe 70 PID 2320 wrote to memory of 1328 2320 cmd.exe 70 PID 2320 wrote to memory of 1328 2320 cmd.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe"C:\Users\Admin\AppData\Local\Temp\65b015e65a9fea301e972cf34503a255a480c57b8cd68aa26fdb4571c93a37a3.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-