Analysis
-
max time kernel
74s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-11-2021 16:50
Static task
static1
Behavioral task
behavioral1
Sample
f063a5ece410738e966ca8f7d3b3a495.exe
Resource
win7-en-20211104
General
-
Target
f063a5ece410738e966ca8f7d3b3a495.exe
-
Size
1.5MB
-
MD5
f063a5ece410738e966ca8f7d3b3a495
-
SHA1
ec19108520ac2ebeb27b231e7053bd0b710c90d2
-
SHA256
17486a31039fa56636c672dba5f9ab12178f888839f41137416b4f85f2affdcb
-
SHA512
92c0dedc40eb45e15bb1b88529b71585fc1591183b33b825a5eb3d13d02b2ba9b41602c61c7a23719429ae2c654b1d62e3a336cd6e90edd34a791859bd7aed32
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4056 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
f063a5ece410738e966ca8f7d3b3a495.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeAssignPrimaryTokenPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeLockMemoryPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeIncreaseQuotaPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeMachineAccountPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeTcbPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeSecurityPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeTakeOwnershipPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeLoadDriverPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeSystemProfilePrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeSystemtimePrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeProfSingleProcessPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeIncBasePriorityPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeCreatePagefilePrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeCreatePermanentPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeBackupPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeRestorePrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeShutdownPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeDebugPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeAuditPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeSystemEnvironmentPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeChangeNotifyPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeRemoteShutdownPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeUndockPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeSyncAgentPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeEnableDelegationPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeManageVolumePrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeImpersonatePrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeCreateGlobalPrivilege 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: 31 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: 32 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: 33 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: 34 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: 35 4332 f063a5ece410738e966ca8f7d3b3a495.exe Token: SeDebugPrivilege 4056 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f063a5ece410738e966ca8f7d3b3a495.execmd.exedescription pid process target process PID 4332 wrote to memory of 4068 4332 f063a5ece410738e966ca8f7d3b3a495.exe cmd.exe PID 4332 wrote to memory of 4068 4332 f063a5ece410738e966ca8f7d3b3a495.exe cmd.exe PID 4332 wrote to memory of 4068 4332 f063a5ece410738e966ca8f7d3b3a495.exe cmd.exe PID 4068 wrote to memory of 4056 4068 cmd.exe taskkill.exe PID 4068 wrote to memory of 4056 4068 cmd.exe taskkill.exe PID 4068 wrote to memory of 4056 4068 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f063a5ece410738e966ca8f7d3b3a495.exe"C:\Users\Admin\AppData\Local\Temp\f063a5ece410738e966ca8f7d3b3a495.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken