Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25/12/2021, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
7b5d9e5737b3b7a1110f13cb72ca5842.exe
Resource
win7-en-20211208
General
-
Target
7b5d9e5737b3b7a1110f13cb72ca5842.exe
-
Size
1.4MB
-
MD5
7b5d9e5737b3b7a1110f13cb72ca5842
-
SHA1
d58ac8636e5f6eb29d03e8d9602b84a6d6282ae4
-
SHA256
2570e4529bf20097068a2c4077330b27a910a018ba9967ed3ddde93c6aa81662
-
SHA512
3924f8b86f36e44c22ec78852d6e10c950192603c3effcdcb3958264cca826d7118a031c41df0819526146bf16cab49de941cbdb1fbc89cb39b1f3ce5757c053
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 784 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 7b5d9e5737b3b7a1110f13cb72ca5842.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 7b5d9e5737b3b7a1110f13cb72ca5842.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeAssignPrimaryTokenPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeLockMemoryPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeIncreaseQuotaPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeMachineAccountPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeTcbPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeSecurityPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeTakeOwnershipPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeLoadDriverPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeSystemProfilePrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeSystemtimePrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeProfSingleProcessPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeIncBasePriorityPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeCreatePagefilePrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeCreatePermanentPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeBackupPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeRestorePrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeShutdownPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeDebugPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeAuditPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeSystemEnvironmentPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeChangeNotifyPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeRemoteShutdownPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeUndockPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeSyncAgentPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeEnableDelegationPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeManageVolumePrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeImpersonatePrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeCreateGlobalPrivilege 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: 31 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: 32 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: 33 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: 34 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: 35 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeDebugPrivilege 784 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1316 wrote to memory of 588 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe 28 PID 1316 wrote to memory of 588 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe 28 PID 1316 wrote to memory of 588 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe 28 PID 1316 wrote to memory of 588 1316 7b5d9e5737b3b7a1110f13cb72ca5842.exe 28 PID 588 wrote to memory of 784 588 cmd.exe 30 PID 588 wrote to memory of 784 588 cmd.exe 30 PID 588 wrote to memory of 784 588 cmd.exe 30 PID 588 wrote to memory of 784 588 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe"C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-