Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
22/11/2021, 16:36
Static task
static1
Behavioral task
behavioral1
Sample
5ca211b48b43359ab62a59db198e57b3.exe
Resource
win7-en-20211014
General
-
Target
5ca211b48b43359ab62a59db198e57b3.exe
-
Size
1.4MB
-
MD5
5ca211b48b43359ab62a59db198e57b3
-
SHA1
89f7bbcc7e2b48d20d00ba4eb79e5a158d0bc314
-
SHA256
72deb62321416b58d914a49b06b634ac16d3d401cd73d4116be9ff6f78ad69ba
-
SHA512
e47dee9c9e290f977c118b8cba97b45ec258273568f4a6b692581b92634c493774481f889a2a465753cde99af36a0c1c5364974a95096cf43045454c60317086
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 832 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 5ca211b48b43359ab62a59db198e57b3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 5ca211b48b43359ab62a59db198e57b3.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeAssignPrimaryTokenPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeLockMemoryPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeIncreaseQuotaPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeMachineAccountPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeTcbPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeSecurityPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeTakeOwnershipPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeLoadDriverPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeSystemProfilePrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeSystemtimePrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeProfSingleProcessPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeIncBasePriorityPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeCreatePagefilePrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeCreatePermanentPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeBackupPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeRestorePrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeShutdownPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeDebugPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeAuditPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeSystemEnvironmentPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeChangeNotifyPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeRemoteShutdownPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeUndockPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeSyncAgentPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeEnableDelegationPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeManageVolumePrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeImpersonatePrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeCreateGlobalPrivilege 588 5ca211b48b43359ab62a59db198e57b3.exe Token: 31 588 5ca211b48b43359ab62a59db198e57b3.exe Token: 32 588 5ca211b48b43359ab62a59db198e57b3.exe Token: 33 588 5ca211b48b43359ab62a59db198e57b3.exe Token: 34 588 5ca211b48b43359ab62a59db198e57b3.exe Token: 35 588 5ca211b48b43359ab62a59db198e57b3.exe Token: SeDebugPrivilege 832 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 588 wrote to memory of 1992 588 5ca211b48b43359ab62a59db198e57b3.exe 29 PID 588 wrote to memory of 1992 588 5ca211b48b43359ab62a59db198e57b3.exe 29 PID 588 wrote to memory of 1992 588 5ca211b48b43359ab62a59db198e57b3.exe 29 PID 588 wrote to memory of 1992 588 5ca211b48b43359ab62a59db198e57b3.exe 29 PID 1992 wrote to memory of 832 1992 cmd.exe 31 PID 1992 wrote to memory of 832 1992 cmd.exe 31 PID 1992 wrote to memory of 832 1992 cmd.exe 31 PID 1992 wrote to memory of 832 1992 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ca211b48b43359ab62a59db198e57b3.exe"C:\Users\Admin\AppData\Local\Temp\5ca211b48b43359ab62a59db198e57b3.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-