Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
21/11/2021, 15:55
Static task
static1
Behavioral task
behavioral1
Sample
b120e3c30aab6056d09c7ddd9a1da04b.exe
Resource
win7-en-20211104
General
-
Target
b120e3c30aab6056d09c7ddd9a1da04b.exe
-
Size
1.7MB
-
MD5
b120e3c30aab6056d09c7ddd9a1da04b
-
SHA1
1d005546777a5d021079183da18c096a35752679
-
SHA256
f4f130abba01aa931e7575c0a3ecc47c4881d3a8d213b200a47a2795861870cb
-
SHA512
fa046cb5450b4ee9d19bb2ddd07636d21c304121d0eea8c800880ac290c454e339f5b69d4815b8b2c7b36587797a0d3c619f82dac5a38e6574bf2eeb79fbfe20
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1880 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 b120e3c30aab6056d09c7ddd9a1da04b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde b120e3c30aab6056d09c7ddd9a1da04b.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeAssignPrimaryTokenPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeLockMemoryPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeIncreaseQuotaPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeMachineAccountPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeTcbPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeSecurityPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeTakeOwnershipPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeLoadDriverPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeSystemProfilePrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeSystemtimePrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeProfSingleProcessPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeIncBasePriorityPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeCreatePagefilePrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeCreatePermanentPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeBackupPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeRestorePrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeShutdownPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeDebugPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeAuditPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeSystemEnvironmentPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeChangeNotifyPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeRemoteShutdownPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeUndockPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeSyncAgentPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeEnableDelegationPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeManageVolumePrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeImpersonatePrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeCreateGlobalPrivilege 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: 31 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: 32 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: 33 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: 34 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: 35 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeDebugPrivilege 1880 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1076 wrote to memory of 616 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe 29 PID 1076 wrote to memory of 616 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe 29 PID 1076 wrote to memory of 616 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe 29 PID 1076 wrote to memory of 616 1076 b120e3c30aab6056d09c7ddd9a1da04b.exe 29 PID 616 wrote to memory of 1880 616 cmd.exe 31 PID 616 wrote to memory of 1880 616 cmd.exe 31 PID 616 wrote to memory of 1880 616 cmd.exe 31 PID 616 wrote to memory of 1880 616 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b120e3c30aab6056d09c7ddd9a1da04b.exe"C:\Users\Admin\AppData\Local\Temp\b120e3c30aab6056d09c7ddd9a1da04b.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-