Analysis
-
max time kernel
126s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
23/11/2021, 15:12
Static task
static1
Behavioral task
behavioral1
Sample
1c5d0a58c9b78d4ec5092bff72cb8249.exe
Resource
win7-en-20211104
0 signatures
0 seconds
General
-
Target
1c5d0a58c9b78d4ec5092bff72cb8249.exe
-
Size
1.4MB
-
MD5
1c5d0a58c9b78d4ec5092bff72cb8249
-
SHA1
3a1511c5d0f162cd9d8dab11e2d59d02adf75bee
-
SHA256
ab3ad017ebe906793d06a4d7c2d6b280a90ff95299db71de7e33f70404aad28f
-
SHA512
7f064d1abf44d5077b9defdf1a3a167f16a22df20ddd67a2f3269b026e96b7a98d0fc425d601c53282f4d2c68fe7e5a465cd305723809b4f0b699de00e097bec
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 3684 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeAssignPrimaryTokenPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeLockMemoryPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeIncreaseQuotaPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeMachineAccountPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeTcbPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeSecurityPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeTakeOwnershipPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeLoadDriverPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeSystemProfilePrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeSystemtimePrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeProfSingleProcessPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeIncBasePriorityPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeCreatePagefilePrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeCreatePermanentPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeBackupPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeRestorePrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeShutdownPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeDebugPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeAuditPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeSystemEnvironmentPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeChangeNotifyPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeRemoteShutdownPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeUndockPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeSyncAgentPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeEnableDelegationPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeManageVolumePrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeImpersonatePrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeCreateGlobalPrivilege 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: 31 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: 32 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: 33 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: 34 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: 35 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe Token: SeDebugPrivilege 3684 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2720 wrote to memory of 3604 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe 68 PID 2720 wrote to memory of 3604 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe 68 PID 2720 wrote to memory of 3604 2720 1c5d0a58c9b78d4ec5092bff72cb8249.exe 68 PID 3604 wrote to memory of 3684 3604 cmd.exe 70 PID 3604 wrote to memory of 3684 3604 cmd.exe 70 PID 3604 wrote to memory of 3684 3604 cmd.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c5d0a58c9b78d4ec5092bff72cb8249.exe"C:\Users\Admin\AppData\Local\Temp\1c5d0a58c9b78d4ec5092bff72cb8249.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
-