Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 07:10
Behavioral task
behavioral1
Sample
acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
Resource
win7-20221111-en
General
-
Target
acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe
-
Size
1.4MB
-
MD5
f743fe2fb172e1077b3a8ef52ac1a8bb
-
SHA1
0ec642903f4150a1a9f928a1bf15e1d6cc2031de
-
SHA256
acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d
-
SHA512
8865d5fae693325792c3942ca3da64d841a0f96bab40ae6b49099e22736c350b0922954cc768ec603532f95805330236bf1e9e8a2c847669bb8c63addb57f25c
-
SSDEEP
24576:kwpk4V9rRM1oDb+enGs2Q6E9ZBJRPHJYrFSJ84ufUxKF6ug:hpRc1OMcV8sJjAUxKsug
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1512 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeAssignPrimaryTokenPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeLockMemoryPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeIncreaseQuotaPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeMachineAccountPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeTcbPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeSecurityPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeTakeOwnershipPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeLoadDriverPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeSystemProfilePrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeSystemtimePrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeProfSingleProcessPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeIncBasePriorityPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeCreatePagefilePrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeCreatePermanentPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeBackupPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeRestorePrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeShutdownPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeDebugPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeAuditPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeSystemEnvironmentPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeChangeNotifyPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeRemoteShutdownPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeUndockPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeSyncAgentPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeEnableDelegationPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeManageVolumePrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeImpersonatePrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeCreateGlobalPrivilege 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: 31 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: 32 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: 33 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: 34 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: 35 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe Token: SeDebugPrivilege 1512 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.execmd.exedescription pid process target process PID 3016 wrote to memory of 4944 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe cmd.exe PID 3016 wrote to memory of 4944 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe cmd.exe PID 3016 wrote to memory of 4944 3016 acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe cmd.exe PID 4944 wrote to memory of 1512 4944 cmd.exe taskkill.exe PID 4944 wrote to memory of 1512 4944 cmd.exe taskkill.exe PID 4944 wrote to memory of 1512 4944 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe"C:\Users\Admin\AppData\Local\Temp\acef718e5448e8f6f41f0a9e629b1ef41a1f49e30721cfbf906705aed0cd470d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken