Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22/12/2021, 11:21
Static task
static1
Behavioral task
behavioral1
Sample
4035f19bb85c910a3928cdffcef5f372.exe
Resource
win7-en-20211208
General
-
Target
4035f19bb85c910a3928cdffcef5f372.exe
-
Size
1.4MB
-
MD5
4035f19bb85c910a3928cdffcef5f372
-
SHA1
cc23f01231b6785bf4818a25e8de7bf7131b4635
-
SHA256
b3d73e743f59f1d0efd96a02a156ecb4ed7375202b72c4a63fa2314728957ca5
-
SHA512
0ee1ad1765fe1fd3fafc2af65855f3d2b002e95e12a9342e6c56ac40a65fb021fcce60034703899306407023d27067e7fae26edd6eab24bc389f9437908451b6
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 556 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 4035f19bb85c910a3928cdffcef5f372.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 4035f19bb85c910a3928cdffcef5f372.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeAssignPrimaryTokenPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeLockMemoryPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeIncreaseQuotaPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeMachineAccountPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeTcbPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeSecurityPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeTakeOwnershipPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeLoadDriverPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeSystemProfilePrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeSystemtimePrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeProfSingleProcessPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeIncBasePriorityPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeCreatePagefilePrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeCreatePermanentPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeBackupPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeRestorePrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeShutdownPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeDebugPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeAuditPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeSystemEnvironmentPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeChangeNotifyPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeRemoteShutdownPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeUndockPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeSyncAgentPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeEnableDelegationPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeManageVolumePrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeImpersonatePrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeCreateGlobalPrivilege 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: 31 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: 32 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: 33 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: 34 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: 35 1700 4035f19bb85c910a3928cdffcef5f372.exe Token: SeDebugPrivilege 556 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1488 1700 4035f19bb85c910a3928cdffcef5f372.exe 28 PID 1700 wrote to memory of 1488 1700 4035f19bb85c910a3928cdffcef5f372.exe 28 PID 1700 wrote to memory of 1488 1700 4035f19bb85c910a3928cdffcef5f372.exe 28 PID 1700 wrote to memory of 1488 1700 4035f19bb85c910a3928cdffcef5f372.exe 28 PID 1488 wrote to memory of 556 1488 cmd.exe 30 PID 1488 wrote to memory of 556 1488 cmd.exe 30 PID 1488 wrote to memory of 556 1488 cmd.exe 30 PID 1488 wrote to memory of 556 1488 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4035f19bb85c910a3928cdffcef5f372.exe"C:\Users\Admin\AppData\Local\Temp\4035f19bb85c910a3928cdffcef5f372.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-