Analysis
-
max time kernel
107s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20/11/2021, 17:41
Static task
static1
Behavioral task
behavioral1
Sample
75f13bcd18948ed9318396cadf3b3442.exe
Resource
win7-en-20211104
0 signatures
0 seconds
General
-
Target
75f13bcd18948ed9318396cadf3b3442.exe
-
Size
1.5MB
-
MD5
75f13bcd18948ed9318396cadf3b3442
-
SHA1
71ba405a7404f9ffe4466ab85eceeee661739712
-
SHA256
0466b839b04f09bff7cee333e33e8a22eed68e8d95997ad6da17ae19e1d8293b
-
SHA512
28b1e37c23b0dab61919eea3505a8dadf307ea90856a9100c1fccc6289d08e6c8833b71db405796ac5acb73d41b55b290d7cce45cb04f6d5ebf3b1cc322afa34
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1184 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeAssignPrimaryTokenPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeLockMemoryPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeIncreaseQuotaPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeMachineAccountPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeTcbPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeSecurityPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeTakeOwnershipPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeLoadDriverPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeSystemProfilePrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeSystemtimePrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeProfSingleProcessPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeIncBasePriorityPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeCreatePagefilePrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeCreatePermanentPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeBackupPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeRestorePrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeShutdownPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeDebugPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeAuditPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeSystemEnvironmentPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeChangeNotifyPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeRemoteShutdownPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeUndockPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeSyncAgentPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeEnableDelegationPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeManageVolumePrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeImpersonatePrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeCreateGlobalPrivilege 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: 31 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: 32 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: 33 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: 34 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: 35 2472 75f13bcd18948ed9318396cadf3b3442.exe Token: SeDebugPrivilege 1184 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2292 2472 75f13bcd18948ed9318396cadf3b3442.exe 69 PID 2472 wrote to memory of 2292 2472 75f13bcd18948ed9318396cadf3b3442.exe 69 PID 2472 wrote to memory of 2292 2472 75f13bcd18948ed9318396cadf3b3442.exe 69 PID 2292 wrote to memory of 1184 2292 cmd.exe 71 PID 2292 wrote to memory of 1184 2292 cmd.exe 71 PID 2292 wrote to memory of 1184 2292 cmd.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe"C:\Users\Admin\AppData\Local\Temp\75f13bcd18948ed9318396cadf3b3442.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-