Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21/11/2021, 15:55
Static task
static1
Behavioral task
behavioral1
Sample
b120e3c30aab6056d09c7ddd9a1da04b.exe
Resource
win7-en-20211104
0 signatures
0 seconds
General
-
Target
b120e3c30aab6056d09c7ddd9a1da04b.exe
-
Size
1.7MB
-
MD5
b120e3c30aab6056d09c7ddd9a1da04b
-
SHA1
1d005546777a5d021079183da18c096a35752679
-
SHA256
f4f130abba01aa931e7575c0a3ecc47c4881d3a8d213b200a47a2795861870cb
-
SHA512
fa046cb5450b4ee9d19bb2ddd07636d21c304121d0eea8c800880ac290c454e339f5b69d4815b8b2c7b36587797a0d3c619f82dac5a38e6574bf2eeb79fbfe20
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 4444 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeAssignPrimaryTokenPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeLockMemoryPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeIncreaseQuotaPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeMachineAccountPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeTcbPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeSecurityPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeTakeOwnershipPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeLoadDriverPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeSystemProfilePrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeSystemtimePrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeProfSingleProcessPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeIncBasePriorityPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeCreatePagefilePrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeCreatePermanentPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeBackupPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeRestorePrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeShutdownPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeDebugPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeAuditPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeSystemEnvironmentPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeChangeNotifyPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeRemoteShutdownPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeUndockPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeSyncAgentPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeEnableDelegationPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeManageVolumePrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeImpersonatePrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeCreateGlobalPrivilege 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: 31 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: 32 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: 33 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: 34 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: 35 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe Token: SeDebugPrivilege 4444 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4384 wrote to memory of 3100 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe 69 PID 4384 wrote to memory of 3100 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe 69 PID 4384 wrote to memory of 3100 4384 b120e3c30aab6056d09c7ddd9a1da04b.exe 69 PID 3100 wrote to memory of 4444 3100 cmd.exe 71 PID 3100 wrote to memory of 4444 3100 cmd.exe 71 PID 3100 wrote to memory of 4444 3100 cmd.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\b120e3c30aab6056d09c7ddd9a1da04b.exe"C:\Users\Admin\AppData\Local\Temp\b120e3c30aab6056d09c7ddd9a1da04b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-