Analysis
-
max time kernel
82s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
22/11/2021, 05:58
Static task
static1
General
-
Target
da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe
-
Size
1.4MB
-
MD5
9ad11a75d19df891b2feb33a4c9244da
-
SHA1
260a02a793d4acf42108f8533c7e2e4bf0811e8e
-
SHA256
da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455
-
SHA512
75f6d189500812be61f79ab0a36ed65c3a7ff4c6489070ff4b00a283edd2ef554bf4bf437490e117e6b4b41a2368947c29d3f8cd35673a2d6271bc898e4ce772
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 824 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeAssignPrimaryTokenPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeLockMemoryPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeIncreaseQuotaPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeMachineAccountPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeTcbPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeSecurityPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeTakeOwnershipPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeLoadDriverPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeSystemProfilePrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeSystemtimePrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeProfSingleProcessPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeIncBasePriorityPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeCreatePagefilePrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeCreatePermanentPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeBackupPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeRestorePrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeShutdownPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeDebugPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeAuditPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeSystemEnvironmentPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeChangeNotifyPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeRemoteShutdownPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeUndockPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeSyncAgentPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeEnableDelegationPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeManageVolumePrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeImpersonatePrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeCreateGlobalPrivilege 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: 31 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: 32 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: 33 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: 34 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: 35 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe Token: SeDebugPrivilege 824 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2336 wrote to memory of 3208 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe 68 PID 2336 wrote to memory of 3208 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe 68 PID 2336 wrote to memory of 3208 2336 da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe 68 PID 3208 wrote to memory of 824 3208 cmd.exe 70 PID 3208 wrote to memory of 824 3208 cmd.exe 70 PID 3208 wrote to memory of 824 3208 cmd.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe"C:\Users\Admin\AppData\Local\Temp\da41ba14234c7da1f5fe3ce2528db9d149c3d807511a8db59740ebe066fc9455.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-