Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22/12/2021, 11:21
Static task
static1
Behavioral task
behavioral1
Sample
4035f19bb85c910a3928cdffcef5f372.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
4035f19bb85c910a3928cdffcef5f372.exe
-
Size
1.4MB
-
MD5
4035f19bb85c910a3928cdffcef5f372
-
SHA1
cc23f01231b6785bf4818a25e8de7bf7131b4635
-
SHA256
b3d73e743f59f1d0efd96a02a156ecb4ed7375202b72c4a63fa2314728957ca5
-
SHA512
0ee1ad1765fe1fd3fafc2af65855f3d2b002e95e12a9342e6c56ac40a65fb021fcce60034703899306407023d27067e7fae26edd6eab24bc389f9437908451b6
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 4300 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeAssignPrimaryTokenPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeLockMemoryPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeIncreaseQuotaPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeMachineAccountPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeTcbPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeSecurityPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeTakeOwnershipPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeLoadDriverPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeSystemProfilePrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeSystemtimePrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeProfSingleProcessPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeIncBasePriorityPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeCreatePagefilePrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeCreatePermanentPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeBackupPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeRestorePrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeShutdownPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeDebugPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeAuditPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeSystemEnvironmentPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeChangeNotifyPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeRemoteShutdownPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeUndockPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeSyncAgentPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeEnableDelegationPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeManageVolumePrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeImpersonatePrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeCreateGlobalPrivilege 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: 31 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: 32 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: 33 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: 34 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: 35 3544 4035f19bb85c910a3928cdffcef5f372.exe Token: SeDebugPrivilege 4300 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3544 wrote to memory of 4020 3544 4035f19bb85c910a3928cdffcef5f372.exe 69 PID 3544 wrote to memory of 4020 3544 4035f19bb85c910a3928cdffcef5f372.exe 69 PID 3544 wrote to memory of 4020 3544 4035f19bb85c910a3928cdffcef5f372.exe 69 PID 4020 wrote to memory of 4300 4020 cmd.exe 71 PID 4020 wrote to memory of 4300 4020 cmd.exe 71 PID 4020 wrote to memory of 4300 4020 cmd.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\4035f19bb85c910a3928cdffcef5f372.exe"C:\Users\Admin\AppData\Local\Temp\4035f19bb85c910a3928cdffcef5f372.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-