Analysis
-
max time kernel
75s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 06:22
Behavioral task
behavioral1
Sample
809b9513cecea98e925419a39a6244a2.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
809b9513cecea98e925419a39a6244a2.exe
-
Size
1.8MB
-
MD5
809b9513cecea98e925419a39a6244a2
-
SHA1
91ce1a46ba918e898021e7ab07323d155acb58e3
-
SHA256
5685ca25aa397dbe143b527532479e9df78750f068990785075c13622ade021e
-
SHA512
c5739b9311c99231c8d59053abab341d7f9bd36e6fdcca082a226b4173c07f303da0bf90d7948cbc475c172f0bca239e5346d402a7162e249560c49db183fcef
-
SSDEEP
49152:q3n7xKVvTj90emnEvpjPHDWPts+SEY8JeH79wLJ6zdrji1:q3n7xUTjyeYEvpjStsbP
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2472-132-0x0000000000190000-0x000000000078A000-memory.dmp upx behavioral2/memory/2472-135-0x0000000000190000-0x000000000078A000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 9 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2472 809b9513cecea98e925419a39a6244a2.exe 2472 809b9513cecea98e925419a39a6244a2.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2472 809b9513cecea98e925419a39a6244a2.exe Token: SeIncreaseQuotaPrivilege 4920 WMIC.exe Token: SeSecurityPrivilege 4920 WMIC.exe Token: SeTakeOwnershipPrivilege 4920 WMIC.exe Token: SeLoadDriverPrivilege 4920 WMIC.exe Token: SeSystemProfilePrivilege 4920 WMIC.exe Token: SeSystemtimePrivilege 4920 WMIC.exe Token: SeProfSingleProcessPrivilege 4920 WMIC.exe Token: SeIncBasePriorityPrivilege 4920 WMIC.exe Token: SeCreatePagefilePrivilege 4920 WMIC.exe Token: SeBackupPrivilege 4920 WMIC.exe Token: SeRestorePrivilege 4920 WMIC.exe Token: SeShutdownPrivilege 4920 WMIC.exe Token: SeDebugPrivilege 4920 WMIC.exe Token: SeSystemEnvironmentPrivilege 4920 WMIC.exe Token: SeRemoteShutdownPrivilege 4920 WMIC.exe Token: SeUndockPrivilege 4920 WMIC.exe Token: SeManageVolumePrivilege 4920 WMIC.exe Token: 33 4920 WMIC.exe Token: 34 4920 WMIC.exe Token: 35 4920 WMIC.exe Token: 36 4920 WMIC.exe Token: SeIncreaseQuotaPrivilege 4920 WMIC.exe Token: SeSecurityPrivilege 4920 WMIC.exe Token: SeTakeOwnershipPrivilege 4920 WMIC.exe Token: SeLoadDriverPrivilege 4920 WMIC.exe Token: SeSystemProfilePrivilege 4920 WMIC.exe Token: SeSystemtimePrivilege 4920 WMIC.exe Token: SeProfSingleProcessPrivilege 4920 WMIC.exe Token: SeIncBasePriorityPrivilege 4920 WMIC.exe Token: SeCreatePagefilePrivilege 4920 WMIC.exe Token: SeBackupPrivilege 4920 WMIC.exe Token: SeRestorePrivilege 4920 WMIC.exe Token: SeShutdownPrivilege 4920 WMIC.exe Token: SeDebugPrivilege 4920 WMIC.exe Token: SeSystemEnvironmentPrivilege 4920 WMIC.exe Token: SeRemoteShutdownPrivilege 4920 WMIC.exe Token: SeUndockPrivilege 4920 WMIC.exe Token: SeManageVolumePrivilege 4920 WMIC.exe Token: 33 4920 WMIC.exe Token: 34 4920 WMIC.exe Token: 35 4920 WMIC.exe Token: 36 4920 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2472 wrote to memory of 4940 2472 809b9513cecea98e925419a39a6244a2.exe 83 PID 2472 wrote to memory of 4940 2472 809b9513cecea98e925419a39a6244a2.exe 83 PID 4940 wrote to memory of 4920 4940 cmd.exe 85 PID 4940 wrote to memory of 4920 4940 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\809b9513cecea98e925419a39a6244a2.exe"C:\Users\Admin\AppData\Local\Temp\809b9513cecea98e925419a39a6244a2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-