Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
23/11/2021, 15:12
Static task
static1
Behavioral task
behavioral1
Sample
1c5d0a58c9b78d4ec5092bff72cb8249.exe
Resource
win7-en-20211104
General
-
Target
1c5d0a58c9b78d4ec5092bff72cb8249.exe
-
Size
1.4MB
-
MD5
1c5d0a58c9b78d4ec5092bff72cb8249
-
SHA1
3a1511c5d0f162cd9d8dab11e2d59d02adf75bee
-
SHA256
ab3ad017ebe906793d06a4d7c2d6b280a90ff95299db71de7e33f70404aad28f
-
SHA512
7f064d1abf44d5077b9defdf1a3a167f16a22df20ddd67a2f3269b026e96b7a98d0fc425d601c53282f4d2c68fe7e5a465cd305723809b4f0b699de00e097bec
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 544 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 1c5d0a58c9b78d4ec5092bff72cb8249.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 1c5d0a58c9b78d4ec5092bff72cb8249.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeAssignPrimaryTokenPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeLockMemoryPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeIncreaseQuotaPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeMachineAccountPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeTcbPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeSecurityPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeTakeOwnershipPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeLoadDriverPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeSystemProfilePrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeSystemtimePrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeProfSingleProcessPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeIncBasePriorityPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeCreatePagefilePrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeCreatePermanentPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeBackupPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeRestorePrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeShutdownPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeDebugPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeAuditPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeSystemEnvironmentPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeChangeNotifyPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeRemoteShutdownPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeUndockPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeSyncAgentPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeEnableDelegationPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeManageVolumePrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeImpersonatePrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeCreateGlobalPrivilege 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: 31 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: 32 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: 33 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: 34 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: 35 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeDebugPrivilege 544 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2040 wrote to memory of 272 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe 29 PID 2040 wrote to memory of 272 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe 29 PID 2040 wrote to memory of 272 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe 29 PID 2040 wrote to memory of 272 2040 1c5d0a58c9b78d4ec5092bff72cb8249.exe 29 PID 272 wrote to memory of 544 272 cmd.exe 31 PID 272 wrote to memory of 544 272 cmd.exe 31 PID 272 wrote to memory of 544 272 cmd.exe 31 PID 272 wrote to memory of 544 272 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c5d0a58c9b78d4ec5092bff72cb8249.exe"C:\Users\Admin\AppData\Local\Temp\1c5d0a58c9b78d4ec5092bff72cb8249.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-