Analysis
-
max time kernel
39s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe
Resource
win7-20220414-en
General
-
Target
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe
-
Size
1.4MB
-
MD5
7f9a498cc692f9f3f0cfe241c80e8ad8
-
SHA1
b5c3f7322da2c8b8ce0f473a26b54d057593162e
-
SHA256
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489
-
SHA512
8fa1b099c07e5aa352a6c5d0288ffd1ce0c5208fda361bb0129c03fbc16d3a84d12fa6067d143e82795343d9c3c847e35ec6b6638373329467d9025933766db6
Malware Config
Signatures
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1220 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeAssignPrimaryTokenPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeLockMemoryPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeIncreaseQuotaPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeMachineAccountPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeTcbPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeSecurityPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeTakeOwnershipPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeLoadDriverPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeSystemProfilePrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeSystemtimePrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeProfSingleProcessPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeIncBasePriorityPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeCreatePagefilePrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeCreatePermanentPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeBackupPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeRestorePrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeShutdownPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeDebugPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeAuditPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeSystemEnvironmentPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeChangeNotifyPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeRemoteShutdownPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeUndockPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeSyncAgentPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeEnableDelegationPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeManageVolumePrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeImpersonatePrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeCreateGlobalPrivilege 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: 31 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: 32 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: 33 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: 34 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: 35 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeDebugPrivilege 1220 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.execmd.exedescription pid process target process PID 272 wrote to memory of 524 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe cmd.exe PID 272 wrote to memory of 524 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe cmd.exe PID 272 wrote to memory of 524 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe cmd.exe PID 272 wrote to memory of 524 272 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe cmd.exe PID 524 wrote to memory of 1220 524 cmd.exe taskkill.exe PID 524 wrote to memory of 1220 524 cmd.exe taskkill.exe PID 524 wrote to memory of 1220 524 cmd.exe taskkill.exe PID 524 wrote to memory of 1220 524 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe"C:\Users\Admin\AppData\Local\Temp\953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken