Analysis
-
max time kernel
126s -
max time network
319s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
26/11/2022, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
2ed1ed1a7fcc1aa7ad61369cedc39718cd1e93748b88d989cbeaa9c98b7f87b1.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
300 seconds
General
-
Target
2ed1ed1a7fcc1aa7ad61369cedc39718cd1e93748b88d989cbeaa9c98b7f87b1.exe
-
Size
4.4MB
-
MD5
867c71f074b9121542595bde9709c2b6
-
SHA1
faa029153fba48715e164d263b0df39dc5102ab6
-
SHA256
2ed1ed1a7fcc1aa7ad61369cedc39718cd1e93748b88d989cbeaa9c98b7f87b1
-
SHA512
1184c6bce6f9dbe4bbe0253e3a40d06fbb7d907f47dbbcb44bdb895b065985e4910f0e9e6dad2c4b832ab404c3f5f5271ccf47950c29a91bda1b5f67a24e2095
-
SSDEEP
49152:9ddj9ge0TmYUtHZ4jNPfiluylvkBEk060xav5EN5tGQnlrjGn01+:9CemoIPn9xEVG8lG
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2720 wmic.exe Token: SeSecurityPrivilege 2720 wmic.exe Token: SeTakeOwnershipPrivilege 2720 wmic.exe Token: SeLoadDriverPrivilege 2720 wmic.exe Token: SeSystemProfilePrivilege 2720 wmic.exe Token: SeSystemtimePrivilege 2720 wmic.exe Token: SeProfSingleProcessPrivilege 2720 wmic.exe Token: SeIncBasePriorityPrivilege 2720 wmic.exe Token: SeCreatePagefilePrivilege 2720 wmic.exe Token: SeBackupPrivilege 2720 wmic.exe Token: SeRestorePrivilege 2720 wmic.exe Token: SeShutdownPrivilege 2720 wmic.exe Token: SeDebugPrivilege 2720 wmic.exe Token: SeSystemEnvironmentPrivilege 2720 wmic.exe Token: SeRemoteShutdownPrivilege 2720 wmic.exe Token: SeUndockPrivilege 2720 wmic.exe Token: SeManageVolumePrivilege 2720 wmic.exe Token: 33 2720 wmic.exe Token: 34 2720 wmic.exe Token: 35 2720 wmic.exe Token: 36 2720 wmic.exe Token: SeIncreaseQuotaPrivilege 2720 wmic.exe Token: SeSecurityPrivilege 2720 wmic.exe Token: SeTakeOwnershipPrivilege 2720 wmic.exe Token: SeLoadDriverPrivilege 2720 wmic.exe Token: SeSystemProfilePrivilege 2720 wmic.exe Token: SeSystemtimePrivilege 2720 wmic.exe Token: SeProfSingleProcessPrivilege 2720 wmic.exe Token: SeIncBasePriorityPrivilege 2720 wmic.exe Token: SeCreatePagefilePrivilege 2720 wmic.exe Token: SeBackupPrivilege 2720 wmic.exe Token: SeRestorePrivilege 2720 wmic.exe Token: SeShutdownPrivilege 2720 wmic.exe Token: SeDebugPrivilege 2720 wmic.exe Token: SeSystemEnvironmentPrivilege 2720 wmic.exe Token: SeRemoteShutdownPrivilege 2720 wmic.exe Token: SeUndockPrivilege 2720 wmic.exe Token: SeManageVolumePrivilege 2720 wmic.exe Token: 33 2720 wmic.exe Token: 34 2720 wmic.exe Token: 35 2720 wmic.exe Token: 36 2720 wmic.exe Token: SeIncreaseQuotaPrivilege 4572 WMIC.exe Token: SeSecurityPrivilege 4572 WMIC.exe Token: SeTakeOwnershipPrivilege 4572 WMIC.exe Token: SeLoadDriverPrivilege 4572 WMIC.exe Token: SeSystemProfilePrivilege 4572 WMIC.exe Token: SeSystemtimePrivilege 4572 WMIC.exe Token: SeProfSingleProcessPrivilege 4572 WMIC.exe Token: SeIncBasePriorityPrivilege 4572 WMIC.exe Token: SeCreatePagefilePrivilege 4572 WMIC.exe Token: SeBackupPrivilege 4572 WMIC.exe Token: SeRestorePrivilege 4572 WMIC.exe Token: SeShutdownPrivilege 4572 WMIC.exe Token: SeDebugPrivilege 4572 WMIC.exe Token: SeSystemEnvironmentPrivilege 4572 WMIC.exe Token: SeRemoteShutdownPrivilege 4572 WMIC.exe Token: SeUndockPrivilege 4572 WMIC.exe Token: SeManageVolumePrivilege 4572 WMIC.exe Token: 33 4572 WMIC.exe Token: 34 4572 WMIC.exe Token: 35 4572 WMIC.exe Token: 36 4572 WMIC.exe Token: SeIncreaseQuotaPrivilege 4572 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2720 2408 2ed1ed1a7fcc1aa7ad61369cedc39718cd1e93748b88d989cbeaa9c98b7f87b1.exe 66 PID 2408 wrote to memory of 2720 2408 2ed1ed1a7fcc1aa7ad61369cedc39718cd1e93748b88d989cbeaa9c98b7f87b1.exe 66 PID 2408 wrote to memory of 3364 2408 2ed1ed1a7fcc1aa7ad61369cedc39718cd1e93748b88d989cbeaa9c98b7f87b1.exe 69 PID 2408 wrote to memory of 3364 2408 2ed1ed1a7fcc1aa7ad61369cedc39718cd1e93748b88d989cbeaa9c98b7f87b1.exe 69 PID 3364 wrote to memory of 4572 3364 cmd.exe 71 PID 3364 wrote to memory of 4572 3364 cmd.exe 71 PID 2408 wrote to memory of 4600 2408 2ed1ed1a7fcc1aa7ad61369cedc39718cd1e93748b88d989cbeaa9c98b7f87b1.exe 72 PID 2408 wrote to memory of 4600 2408 2ed1ed1a7fcc1aa7ad61369cedc39718cd1e93748b88d989cbeaa9c98b7f87b1.exe 72 PID 4600 wrote to memory of 4076 4600 cmd.exe 74 PID 4600 wrote to memory of 4076 4600 cmd.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ed1ed1a7fcc1aa7ad61369cedc39718cd1e93748b88d989cbeaa9c98b7f87b1.exe"C:\Users\Admin\AppData\Local\Temp\2ed1ed1a7fcc1aa7ad61369cedc39718cd1e93748b88d989cbeaa9c98b7f87b1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:4076
-
-