Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
20/11/2021, 17:41
Static task
static1
Behavioral task
behavioral1
Sample
75f13bcd18948ed9318396cadf3b3442.exe
Resource
win7-en-20211104
General
-
Target
75f13bcd18948ed9318396cadf3b3442.exe
-
Size
1.5MB
-
MD5
75f13bcd18948ed9318396cadf3b3442
-
SHA1
71ba405a7404f9ffe4466ab85eceeee661739712
-
SHA256
0466b839b04f09bff7cee333e33e8a22eed68e8d95997ad6da17ae19e1d8293b
-
SHA512
28b1e37c23b0dab61919eea3505a8dadf307ea90856a9100c1fccc6289d08e6c8833b71db405796ac5acb73d41b55b290d7cce45cb04f6d5ebf3b1cc322afa34
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 392 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 75f13bcd18948ed9318396cadf3b3442.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 75f13bcd18948ed9318396cadf3b3442.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeAssignPrimaryTokenPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeLockMemoryPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeIncreaseQuotaPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeMachineAccountPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeTcbPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeSecurityPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeTakeOwnershipPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeLoadDriverPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeSystemProfilePrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeSystemtimePrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeProfSingleProcessPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeIncBasePriorityPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeCreatePagefilePrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeCreatePermanentPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeBackupPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeRestorePrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeShutdownPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeDebugPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeAuditPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeSystemEnvironmentPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeChangeNotifyPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeRemoteShutdownPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeUndockPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeSyncAgentPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeEnableDelegationPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeManageVolumePrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeImpersonatePrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeCreateGlobalPrivilege 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: 31 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: 32 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: 33 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: 34 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: 35 1072 75f13bcd18948ed9318396cadf3b3442.exe Token: SeDebugPrivilege 392 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1072 wrote to memory of 380 1072 75f13bcd18948ed9318396cadf3b3442.exe 29 PID 1072 wrote to memory of 380 1072 75f13bcd18948ed9318396cadf3b3442.exe 29 PID 1072 wrote to memory of 380 1072 75f13bcd18948ed9318396cadf3b3442.exe 29 PID 1072 wrote to memory of 380 1072 75f13bcd18948ed9318396cadf3b3442.exe 29 PID 380 wrote to memory of 392 380 cmd.exe 31 PID 380 wrote to memory of 392 380 cmd.exe 31 PID 380 wrote to memory of 392 380 cmd.exe 31 PID 380 wrote to memory of 392 380 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe"C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-