Analysis
-
max time kernel
150s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 09:17
Behavioral task
behavioral1
Sample
8194c5a8a145a9c76349c08afc5caa1f.exe
Resource
win7-20221111-en
General
-
Target
8194c5a8a145a9c76349c08afc5caa1f.exe
-
Size
675KB
-
MD5
8194c5a8a145a9c76349c08afc5caa1f
-
SHA1
059ec1283f5d812533d662c3d569eb286973602e
-
SHA256
4651270dd4ecec382fc2b62f0f946379107945dea1b36f168be59db502be81ee
-
SHA512
1443cb59203de429f7f12e75af0912a372e83d6fd74508f514affdad6545c0883b77fd3b227be709145882088868a5c90389b4a527e5621e14ad5127237b6d24
-
SSDEEP
12288:xqlMhfymUyZzk8ri+hcGgn9cJBJYGahyHY2oSjqOe6zUDmg:x5kxyZFe+hcGEXGwiY2j25
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4900-132-0x0000000000400000-0x000000000058E000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 10 IoCs
Processes:
8194c5a8a145a9c76349c08afc5caa1f.exedescription ioc process File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js 8194c5a8a145a9c76349c08afc5caa1f.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js 8194c5a8a145a9c76349c08afc5caa1f.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js 8194c5a8a145a9c76349c08afc5caa1f.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js 8194c5a8a145a9c76349c08afc5caa1f.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json 8194c5a8a145a9c76349c08afc5caa1f.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js 8194c5a8a145a9c76349c08afc5caa1f.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html 8194c5a8a145a9c76349c08afc5caa1f.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png 8194c5a8a145a9c76349c08afc5caa1f.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js 8194c5a8a145a9c76349c08afc5caa1f.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js 8194c5a8a145a9c76349c08afc5caa1f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 448 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
8194c5a8a145a9c76349c08afc5caa1f.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeAssignPrimaryTokenPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeLockMemoryPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeIncreaseQuotaPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeMachineAccountPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeTcbPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeSecurityPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeTakeOwnershipPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeLoadDriverPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeSystemProfilePrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeSystemtimePrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeProfSingleProcessPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeIncBasePriorityPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeCreatePagefilePrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeCreatePermanentPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeBackupPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeRestorePrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeShutdownPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeDebugPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeAuditPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeSystemEnvironmentPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeChangeNotifyPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeRemoteShutdownPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeUndockPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeSyncAgentPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeEnableDelegationPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeManageVolumePrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeImpersonatePrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeCreateGlobalPrivilege 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: 31 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: 32 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: 33 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: 34 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: 35 4900 8194c5a8a145a9c76349c08afc5caa1f.exe Token: SeDebugPrivilege 448 taskkill.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
8194c5a8a145a9c76349c08afc5caa1f.execmd.exechrome.exedescription pid process target process PID 4900 wrote to memory of 4204 4900 8194c5a8a145a9c76349c08afc5caa1f.exe cmd.exe PID 4900 wrote to memory of 4204 4900 8194c5a8a145a9c76349c08afc5caa1f.exe cmd.exe PID 4900 wrote to memory of 4204 4900 8194c5a8a145a9c76349c08afc5caa1f.exe cmd.exe PID 4204 wrote to memory of 448 4204 cmd.exe taskkill.exe PID 4204 wrote to memory of 448 4204 cmd.exe taskkill.exe PID 4204 wrote to memory of 448 4204 cmd.exe taskkill.exe PID 4900 wrote to memory of 2476 4900 8194c5a8a145a9c76349c08afc5caa1f.exe chrome.exe PID 4900 wrote to memory of 2476 4900 8194c5a8a145a9c76349c08afc5caa1f.exe chrome.exe PID 2476 wrote to memory of 4916 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4916 2476 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8194c5a8a145a9c76349c08afc5caa1f.exe"C:\Users\Admin\AppData\Local\Temp\8194c5a8a145a9c76349c08afc5caa1f.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffc14db4f50,0x7ffc14db4f60,0x7ffc14db4f703⤵