Analysis
-
max time kernel
83s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25/12/2021, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
7b5d9e5737b3b7a1110f13cb72ca5842.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
7b5d9e5737b3b7a1110f13cb72ca5842.exe
-
Size
1.4MB
-
MD5
7b5d9e5737b3b7a1110f13cb72ca5842
-
SHA1
d58ac8636e5f6eb29d03e8d9602b84a6d6282ae4
-
SHA256
2570e4529bf20097068a2c4077330b27a910a018ba9967ed3ddde93c6aa81662
-
SHA512
3924f8b86f36e44c22ec78852d6e10c950192603c3effcdcb3958264cca826d7118a031c41df0819526146bf16cab49de941cbdb1fbc89cb39b1f3ce5757c053
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 580 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeAssignPrimaryTokenPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeLockMemoryPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeIncreaseQuotaPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeMachineAccountPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeTcbPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeSecurityPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeTakeOwnershipPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeLoadDriverPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeSystemProfilePrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeSystemtimePrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeProfSingleProcessPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeIncBasePriorityPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeCreatePagefilePrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeCreatePermanentPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeBackupPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeRestorePrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeShutdownPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeDebugPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeAuditPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeSystemEnvironmentPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeChangeNotifyPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeRemoteShutdownPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeUndockPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeSyncAgentPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeEnableDelegationPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeManageVolumePrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeImpersonatePrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeCreateGlobalPrivilege 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: 31 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: 32 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: 33 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: 34 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: 35 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe Token: SeDebugPrivilege 580 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2224 wrote to memory of 3192 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe 69 PID 2224 wrote to memory of 3192 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe 69 PID 2224 wrote to memory of 3192 2224 7b5d9e5737b3b7a1110f13cb72ca5842.exe 69 PID 3192 wrote to memory of 580 3192 cmd.exe 71 PID 3192 wrote to memory of 580 3192 cmd.exe 71 PID 3192 wrote to memory of 580 3192 cmd.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe"C:\Users\Admin\AppData\Local\Temp\7b5d9e5737b3b7a1110f13cb72ca5842.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-