Analysis
-
max time kernel
83s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 06:33
Static task
static1
Behavioral task
behavioral1
Sample
479e6a45a08e74c6d0141c5f6d107574.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
479e6a45a08e74c6d0141c5f6d107574.exe
-
Size
1.7MB
-
MD5
479e6a45a08e74c6d0141c5f6d107574
-
SHA1
254af78357032f1e7f7659eda0ff22ffc7900b12
-
SHA256
75cad21c1fd17e0c6206688dade2c78ad51a16336ea8f3bb0201dd163ad4b123
-
SHA512
ad1b38ea2abc15976ae6eb62b16ddbba5dc205b750487a0b635ad1f02cf42711ff4803ead158eb78ea42ead944eb9a65e547b5e07c55bd04c18fc71ede807bdf
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 10 IoCs
Processes:
479e6a45a08e74c6d0141c5f6d107574.exedescription ioc process File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js 479e6a45a08e74c6d0141c5f6d107574.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png 479e6a45a08e74c6d0141c5f6d107574.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js 479e6a45a08e74c6d0141c5f6d107574.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js 479e6a45a08e74c6d0141c5f6d107574.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js 479e6a45a08e74c6d0141c5f6d107574.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json 479e6a45a08e74c6d0141c5f6d107574.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html 479e6a45a08e74c6d0141c5f6d107574.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js 479e6a45a08e74c6d0141c5f6d107574.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js 479e6a45a08e74c6d0141c5f6d107574.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js 479e6a45a08e74c6d0141c5f6d107574.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 524 taskkill.exe -
Processes:
479e6a45a08e74c6d0141c5f6d107574.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 479e6a45a08e74c6d0141c5f6d107574.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 479e6a45a08e74c6d0141c5f6d107574.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 479e6a45a08e74c6d0141c5f6d107574.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
479e6a45a08e74c6d0141c5f6d107574.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeAssignPrimaryTokenPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeLockMemoryPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeIncreaseQuotaPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeMachineAccountPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeTcbPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeSecurityPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeTakeOwnershipPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeLoadDriverPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeSystemProfilePrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeSystemtimePrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeProfSingleProcessPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeIncBasePriorityPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeCreatePagefilePrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeCreatePermanentPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeBackupPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeRestorePrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeShutdownPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeDebugPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeAuditPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeSystemEnvironmentPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeChangeNotifyPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeRemoteShutdownPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeUndockPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeSyncAgentPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeEnableDelegationPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeManageVolumePrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeImpersonatePrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeCreateGlobalPrivilege 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: 31 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: 32 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: 33 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: 34 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: 35 1480 479e6a45a08e74c6d0141c5f6d107574.exe Token: SeDebugPrivilege 524 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
479e6a45a08e74c6d0141c5f6d107574.execmd.exedescription pid process target process PID 1480 wrote to memory of 1360 1480 479e6a45a08e74c6d0141c5f6d107574.exe cmd.exe PID 1480 wrote to memory of 1360 1480 479e6a45a08e74c6d0141c5f6d107574.exe cmd.exe PID 1480 wrote to memory of 1360 1480 479e6a45a08e74c6d0141c5f6d107574.exe cmd.exe PID 1480 wrote to memory of 1360 1480 479e6a45a08e74c6d0141c5f6d107574.exe cmd.exe PID 1360 wrote to memory of 524 1360 cmd.exe taskkill.exe PID 1360 wrote to memory of 524 1360 cmd.exe taskkill.exe PID 1360 wrote to memory of 524 1360 cmd.exe taskkill.exe PID 1360 wrote to memory of 524 1360 cmd.exe taskkill.exe PID 1480 wrote to memory of 1684 1480 479e6a45a08e74c6d0141c5f6d107574.exe chrome.exe PID 1480 wrote to memory of 1684 1480 479e6a45a08e74c6d0141c5f6d107574.exe chrome.exe PID 1480 wrote to memory of 1684 1480 479e6a45a08e74c6d0141c5f6d107574.exe chrome.exe PID 1480 wrote to memory of 1684 1480 479e6a45a08e74c6d0141c5f6d107574.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\479e6a45a08e74c6d0141c5f6d107574.exe"C:\Users\Admin\AppData\Local\Temp\479e6a45a08e74c6d0141c5f6d107574.exe"1⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵