Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25/12/2021, 08:10
Static task
static1
Behavioral task
behavioral1
Sample
7594faafcbda5e8cd083b9a58e2c6b78.exe
Resource
win7-en-20211208
General
-
Target
7594faafcbda5e8cd083b9a58e2c6b78.exe
-
Size
1.4MB
-
MD5
7594faafcbda5e8cd083b9a58e2c6b78
-
SHA1
9cb399dab50eed65800c22c4a86e3831ba163446
-
SHA256
0d5fad1de85eef9a74cade2bbe9e236a9d76cfbaf67ff11de080c4323b2534ec
-
SHA512
c7ae0a73b8a2746f747296b78efbc7ee275f3800f986738bded80557ec933c0b04699248b9c4694ee1a89c5969ede55d579dfe6ba0b30bc1b6a4b60b38075291
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 816 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 7594faafcbda5e8cd083b9a58e2c6b78.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 7594faafcbda5e8cd083b9a58e2c6b78.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeAssignPrimaryTokenPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeLockMemoryPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeIncreaseQuotaPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeMachineAccountPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeTcbPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeSecurityPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeTakeOwnershipPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeLoadDriverPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeSystemProfilePrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeSystemtimePrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeProfSingleProcessPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeIncBasePriorityPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeCreatePagefilePrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeCreatePermanentPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeBackupPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeRestorePrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeShutdownPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeDebugPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeAuditPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeSystemEnvironmentPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeChangeNotifyPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeRemoteShutdownPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeUndockPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeSyncAgentPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeEnableDelegationPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeManageVolumePrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeImpersonatePrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeCreateGlobalPrivilege 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: 31 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: 32 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: 33 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: 34 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: 35 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe Token: SeDebugPrivilege 816 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1352 wrote to memory of 568 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe 28 PID 1352 wrote to memory of 568 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe 28 PID 1352 wrote to memory of 568 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe 28 PID 1352 wrote to memory of 568 1352 7594faafcbda5e8cd083b9a58e2c6b78.exe 28 PID 568 wrote to memory of 816 568 cmd.exe 30 PID 568 wrote to memory of 816 568 cmd.exe 30 PID 568 wrote to memory of 816 568 cmd.exe 30 PID 568 wrote to memory of 816 568 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7594faafcbda5e8cd083b9a58e2c6b78.exe"C:\Users\Admin\AppData\Local\Temp\7594faafcbda5e8cd083b9a58e2c6b78.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-