Analysis
-
max time kernel
62s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe
Resource
win7-20220414-en
General
-
Target
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe
-
Size
1.4MB
-
MD5
7f9a498cc692f9f3f0cfe241c80e8ad8
-
SHA1
b5c3f7322da2c8b8ce0f473a26b54d057593162e
-
SHA256
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489
-
SHA512
8fa1b099c07e5aa352a6c5d0288ffd1ce0c5208fda361bb0129c03fbc16d3a84d12fa6067d143e82795343d9c3c847e35ec6b6638373329467d9025933766db6
Malware Config
Signatures
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4300 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeAssignPrimaryTokenPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeLockMemoryPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeIncreaseQuotaPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeMachineAccountPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeTcbPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeSecurityPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeTakeOwnershipPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeLoadDriverPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeSystemProfilePrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeSystemtimePrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeProfSingleProcessPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeIncBasePriorityPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeCreatePagefilePrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeCreatePermanentPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeBackupPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeRestorePrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeShutdownPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeDebugPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeAuditPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeSystemEnvironmentPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeChangeNotifyPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeRemoteShutdownPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeUndockPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeSyncAgentPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeEnableDelegationPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeManageVolumePrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeImpersonatePrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeCreateGlobalPrivilege 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: 31 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: 32 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: 33 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: 34 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: 35 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe Token: SeDebugPrivilege 4300 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.execmd.exedescription pid process target process PID 1448 wrote to memory of 4936 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe cmd.exe PID 1448 wrote to memory of 4936 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe cmd.exe PID 1448 wrote to memory of 4936 1448 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe cmd.exe PID 4936 wrote to memory of 4300 4936 cmd.exe taskkill.exe PID 4936 wrote to memory of 4300 4936 cmd.exe taskkill.exe PID 4936 wrote to memory of 4300 4936 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe"C:\Users\Admin\AppData\Local\Temp\953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken