Analysis
-
max time kernel
117s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26/12/2021, 17:10
Static task
static1
Behavioral task
behavioral1
Sample
0c9e06cd1ff3dfc67fc97b3227229706.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
0c9e06cd1ff3dfc67fc97b3227229706.exe
-
Size
1.4MB
-
MD5
0c9e06cd1ff3dfc67fc97b3227229706
-
SHA1
da09e182190dc6878faf6fcd80ccc4851424b71b
-
SHA256
7e20adf0139c25e9813e91435df14ef96ee8d55cccc10cf7450f194c33ed573c
-
SHA512
602fc5f5451174ed9099348d73234a7ff60a0947e25d2e4ca43da46edb5b5d25b47d59a1f2413752c7b69b7b4e5a2d80e23db3af26c057358b6f3ef9702c86eb
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 4052 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeCreateTokenPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeAssignPrimaryTokenPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeLockMemoryPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeIncreaseQuotaPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeMachineAccountPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeTcbPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeSecurityPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeTakeOwnershipPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeLoadDriverPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeSystemProfilePrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeSystemtimePrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeProfSingleProcessPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeIncBasePriorityPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeCreatePagefilePrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeCreatePermanentPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeBackupPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeRestorePrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeShutdownPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeDebugPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeAuditPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeSystemEnvironmentPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeChangeNotifyPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeRemoteShutdownPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeUndockPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeSyncAgentPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeEnableDelegationPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeManageVolumePrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeImpersonatePrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeCreateGlobalPrivilege 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: 31 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: 32 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: 33 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: 34 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: 35 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe Token: SeDebugPrivilege 4052 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3992 wrote to memory of 3112 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe 69 PID 3992 wrote to memory of 3112 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe 69 PID 3992 wrote to memory of 3112 3992 0c9e06cd1ff3dfc67fc97b3227229706.exe 69 PID 3112 wrote to memory of 4052 3112 cmd.exe 71 PID 3112 wrote to memory of 4052 3112 cmd.exe 71 PID 3112 wrote to memory of 4052 3112 cmd.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c9e06cd1ff3dfc67fc97b3227229706.exe"C:\Users\Admin\AppData\Local\Temp\0c9e06cd1ff3dfc67fc97b3227229706.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-