Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
25-11-2021 16:50
Static task
static1
Behavioral task
behavioral1
Sample
f063a5ece410738e966ca8f7d3b3a495.exe
Resource
win7-en-20211104
General
-
Target
f063a5ece410738e966ca8f7d3b3a495.exe
-
Size
1.5MB
-
MD5
f063a5ece410738e966ca8f7d3b3a495
-
SHA1
ec19108520ac2ebeb27b231e7053bd0b710c90d2
-
SHA256
17486a31039fa56636c672dba5f9ab12178f888839f41137416b4f85f2affdcb
-
SHA512
92c0dedc40eb45e15bb1b88529b71585fc1591183b33b825a5eb3d13d02b2ba9b41602c61c7a23719429ae2c654b1d62e3a336cd6e90edd34a791859bd7aed32
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1112 taskkill.exe -
Processes:
f063a5ece410738e966ca8f7d3b3a495.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 f063a5ece410738e966ca8f7d3b3a495.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde f063a5ece410738e966ca8f7d3b3a495.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
f063a5ece410738e966ca8f7d3b3a495.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeAssignPrimaryTokenPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeLockMemoryPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeIncreaseQuotaPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeMachineAccountPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeTcbPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeSecurityPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeTakeOwnershipPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeLoadDriverPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeSystemProfilePrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeSystemtimePrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeProfSingleProcessPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeIncBasePriorityPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeCreatePagefilePrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeCreatePermanentPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeBackupPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeRestorePrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeShutdownPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeDebugPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeAuditPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeSystemEnvironmentPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeChangeNotifyPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeRemoteShutdownPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeUndockPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeSyncAgentPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeEnableDelegationPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeManageVolumePrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeImpersonatePrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeCreateGlobalPrivilege 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: 31 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: 32 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: 33 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: 34 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: 35 592 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeDebugPrivilege 1112 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f063a5ece410738e966ca8f7d3b3a495.execmd.exedescription pid process target process PID 592 wrote to memory of 608 592 f063a5ece410738e966ca8f7d3b3a495.exe cmd.exe PID 592 wrote to memory of 608 592 f063a5ece410738e966ca8f7d3b3a495.exe cmd.exe PID 592 wrote to memory of 608 592 f063a5ece410738e966ca8f7d3b3a495.exe cmd.exe PID 592 wrote to memory of 608 592 f063a5ece410738e966ca8f7d3b3a495.exe cmd.exe PID 608 wrote to memory of 1112 608 cmd.exe taskkill.exe PID 608 wrote to memory of 1112 608 cmd.exe taskkill.exe PID 608 wrote to memory of 1112 608 cmd.exe taskkill.exe PID 608 wrote to memory of 1112 608 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f063a5ece410738e966ca8f7d3b3a495.exe"C:\Users\Admin\AppData\Local\Temp\f063a5ece410738e966ca8f7d3b3a495.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken