Analysis
-
max time kernel
126s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
22/11/2021, 16:36
Static task
static1
Behavioral task
behavioral1
Sample
5ca211b48b43359ab62a59db198e57b3.exe
Resource
win7-en-20211014
0 signatures
0 seconds
General
-
Target
5ca211b48b43359ab62a59db198e57b3.exe
-
Size
1.4MB
-
MD5
5ca211b48b43359ab62a59db198e57b3
-
SHA1
89f7bbcc7e2b48d20d00ba4eb79e5a158d0bc314
-
SHA256
72deb62321416b58d914a49b06b634ac16d3d401cd73d4116be9ff6f78ad69ba
-
SHA512
e47dee9c9e290f977c118b8cba97b45ec258273568f4a6b692581b92634c493774481f889a2a465753cde99af36a0c1c5364974a95096cf43045454c60317086
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 4448 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeAssignPrimaryTokenPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeLockMemoryPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeIncreaseQuotaPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeMachineAccountPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeTcbPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeSecurityPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeTakeOwnershipPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeLoadDriverPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeSystemProfilePrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeSystemtimePrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeProfSingleProcessPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeIncBasePriorityPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeCreatePagefilePrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeCreatePermanentPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeBackupPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeRestorePrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeShutdownPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeDebugPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeAuditPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeSystemEnvironmentPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeChangeNotifyPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeRemoteShutdownPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeUndockPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeSyncAgentPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeEnableDelegationPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeManageVolumePrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeImpersonatePrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeCreateGlobalPrivilege 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: 31 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: 32 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: 33 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: 34 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: 35 3708 5ca211b48b43359ab62a59db198e57b3.exe Token: SeDebugPrivilege 4448 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3708 wrote to memory of 4384 3708 5ca211b48b43359ab62a59db198e57b3.exe 68 PID 3708 wrote to memory of 4384 3708 5ca211b48b43359ab62a59db198e57b3.exe 68 PID 3708 wrote to memory of 4384 3708 5ca211b48b43359ab62a59db198e57b3.exe 68 PID 4384 wrote to memory of 4448 4384 cmd.exe 70 PID 4384 wrote to memory of 4448 4384 cmd.exe 70 PID 4384 wrote to memory of 4448 4384 cmd.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ca211b48b43359ab62a59db198e57b3.exe"C:\Users\Admin\AppData\Local\Temp\5ca211b48b43359ab62a59db198e57b3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-