Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26/12/2021, 17:10
Static task
static1
Behavioral task
behavioral1
Sample
0c9e06cd1ff3dfc67fc97b3227229706.exe
Resource
win7-en-20211208
General
-
Target
0c9e06cd1ff3dfc67fc97b3227229706.exe
-
Size
1.4MB
-
MD5
0c9e06cd1ff3dfc67fc97b3227229706
-
SHA1
da09e182190dc6878faf6fcd80ccc4851424b71b
-
SHA256
7e20adf0139c25e9813e91435df14ef96ee8d55cccc10cf7450f194c33ed573c
-
SHA512
602fc5f5451174ed9099348d73234a7ff60a0947e25d2e4ca43da46edb5b5d25b47d59a1f2413752c7b69b7b4e5a2d80e23db3af26c057358b6f3ef9702c86eb
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 548 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 0c9e06cd1ff3dfc67fc97b3227229706.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 0c9e06cd1ff3dfc67fc97b3227229706.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeAssignPrimaryTokenPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeLockMemoryPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeIncreaseQuotaPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeMachineAccountPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeTcbPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeSecurityPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeTakeOwnershipPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeLoadDriverPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeSystemProfilePrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeSystemtimePrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeProfSingleProcessPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeIncBasePriorityPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeCreatePagefilePrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeCreatePermanentPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeBackupPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeRestorePrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeShutdownPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeDebugPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeAuditPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeSystemEnvironmentPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeChangeNotifyPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeRemoteShutdownPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeUndockPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeSyncAgentPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeEnableDelegationPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeManageVolumePrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeImpersonatePrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeCreateGlobalPrivilege 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: 31 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: 32 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: 33 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: 34 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: 35 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeDebugPrivilege 548 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1712 wrote to memory of 784 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe 28 PID 1712 wrote to memory of 784 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe 28 PID 1712 wrote to memory of 784 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe 28 PID 1712 wrote to memory of 784 1712 0c9e06cd1ff3dfc67fc97b3227229706.exe 28 PID 784 wrote to memory of 548 784 cmd.exe 30 PID 784 wrote to memory of 548 784 cmd.exe 30 PID 784 wrote to memory of 548 784 cmd.exe 30 PID 784 wrote to memory of 548 784 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c9e06cd1ff3dfc67fc97b3227229706.exe"C:\Users\Admin\AppData\Local\Temp\0c9e06cd1ff3dfc67fc97b3227229706.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-