Analysis
-
max time kernel
30s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
18-01-2023 05:20
Behavioral task
behavioral1
Sample
npp.8.4.8.Installer.x64.exe
Resource
win7-20221111-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
npp.8.4.8.Installer.x64.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
npp.8.4.8.Installer.x64.exe
-
Size
4.4MB
-
MD5
c0a7843660c41c0da01a91298f426c03
-
SHA1
e94077a65ba887fd97d8824245bfdbfa914b464e
-
SHA256
6c365c86aa823b55235be2d7f139160bfe994a33b2d34b73de239b24bbde7391
-
SHA512
c97c0712555476c8f0e0d39c5f52d36d8937c504f06f5ef5e9ec54fb98f3c61db910fefe5ab4c27d1c91c9c9e7688cd376b841c510090064fa563f412eeb91b9
-
SSDEEP
49152:mj8saMWbZtUB8hSjRNTpGktKDJ3Ma1+Mf/bEA88pqhazt8JUtAl02F19NtvZk2:mosaxbZtJEj4rEAkJUcNdZr
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1180 wmic.exe Token: SeSecurityPrivilege 1180 wmic.exe Token: SeTakeOwnershipPrivilege 1180 wmic.exe Token: SeLoadDriverPrivilege 1180 wmic.exe Token: SeSystemProfilePrivilege 1180 wmic.exe Token: SeSystemtimePrivilege 1180 wmic.exe Token: SeProfSingleProcessPrivilege 1180 wmic.exe Token: SeIncBasePriorityPrivilege 1180 wmic.exe Token: SeCreatePagefilePrivilege 1180 wmic.exe Token: SeBackupPrivilege 1180 wmic.exe Token: SeRestorePrivilege 1180 wmic.exe Token: SeShutdownPrivilege 1180 wmic.exe Token: SeDebugPrivilege 1180 wmic.exe Token: SeSystemEnvironmentPrivilege 1180 wmic.exe Token: SeRemoteShutdownPrivilege 1180 wmic.exe Token: SeUndockPrivilege 1180 wmic.exe Token: SeManageVolumePrivilege 1180 wmic.exe Token: 33 1180 wmic.exe Token: 34 1180 wmic.exe Token: 35 1180 wmic.exe Token: SeIncreaseQuotaPrivilege 1180 wmic.exe Token: SeSecurityPrivilege 1180 wmic.exe Token: SeTakeOwnershipPrivilege 1180 wmic.exe Token: SeLoadDriverPrivilege 1180 wmic.exe Token: SeSystemProfilePrivilege 1180 wmic.exe Token: SeSystemtimePrivilege 1180 wmic.exe Token: SeProfSingleProcessPrivilege 1180 wmic.exe Token: SeIncBasePriorityPrivilege 1180 wmic.exe Token: SeCreatePagefilePrivilege 1180 wmic.exe Token: SeBackupPrivilege 1180 wmic.exe Token: SeRestorePrivilege 1180 wmic.exe Token: SeShutdownPrivilege 1180 wmic.exe Token: SeDebugPrivilege 1180 wmic.exe Token: SeSystemEnvironmentPrivilege 1180 wmic.exe Token: SeRemoteShutdownPrivilege 1180 wmic.exe Token: SeUndockPrivilege 1180 wmic.exe Token: SeManageVolumePrivilege 1180 wmic.exe Token: 33 1180 wmic.exe Token: 34 1180 wmic.exe Token: 35 1180 wmic.exe Token: SeIncreaseQuotaPrivilege 1760 WMIC.exe Token: SeSecurityPrivilege 1760 WMIC.exe Token: SeTakeOwnershipPrivilege 1760 WMIC.exe Token: SeLoadDriverPrivilege 1760 WMIC.exe Token: SeSystemProfilePrivilege 1760 WMIC.exe Token: SeSystemtimePrivilege 1760 WMIC.exe Token: SeProfSingleProcessPrivilege 1760 WMIC.exe Token: SeIncBasePriorityPrivilege 1760 WMIC.exe Token: SeCreatePagefilePrivilege 1760 WMIC.exe Token: SeBackupPrivilege 1760 WMIC.exe Token: SeRestorePrivilege 1760 WMIC.exe Token: SeShutdownPrivilege 1760 WMIC.exe Token: SeDebugPrivilege 1760 WMIC.exe Token: SeSystemEnvironmentPrivilege 1760 WMIC.exe Token: SeRemoteShutdownPrivilege 1760 WMIC.exe Token: SeUndockPrivilege 1760 WMIC.exe Token: SeManageVolumePrivilege 1760 WMIC.exe Token: 33 1760 WMIC.exe Token: 34 1760 WMIC.exe Token: 35 1760 WMIC.exe Token: SeIncreaseQuotaPrivilege 1760 WMIC.exe Token: SeSecurityPrivilege 1760 WMIC.exe Token: SeTakeOwnershipPrivilege 1760 WMIC.exe Token: SeLoadDriverPrivilege 1760 WMIC.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1400 wrote to memory of 1180 1400 npp.8.4.8.Installer.x64.exe 28 PID 1400 wrote to memory of 1180 1400 npp.8.4.8.Installer.x64.exe 28 PID 1400 wrote to memory of 1180 1400 npp.8.4.8.Installer.x64.exe 28 PID 1400 wrote to memory of 1180 1400 npp.8.4.8.Installer.x64.exe 28 PID 1400 wrote to memory of 1180 1400 npp.8.4.8.Installer.x64.exe 28 PID 1400 wrote to memory of 1180 1400 npp.8.4.8.Installer.x64.exe 28 PID 1400 wrote to memory of 1180 1400 npp.8.4.8.Installer.x64.exe 28 PID 1400 wrote to memory of 1456 1400 npp.8.4.8.Installer.x64.exe 31 PID 1400 wrote to memory of 1456 1400 npp.8.4.8.Installer.x64.exe 31 PID 1400 wrote to memory of 1456 1400 npp.8.4.8.Installer.x64.exe 31 PID 1400 wrote to memory of 1456 1400 npp.8.4.8.Installer.x64.exe 31 PID 1400 wrote to memory of 1456 1400 npp.8.4.8.Installer.x64.exe 31 PID 1400 wrote to memory of 1456 1400 npp.8.4.8.Installer.x64.exe 31 PID 1400 wrote to memory of 1456 1400 npp.8.4.8.Installer.x64.exe 31 PID 1456 wrote to memory of 1760 1456 cmd.exe 33 PID 1456 wrote to memory of 1760 1456 cmd.exe 33 PID 1456 wrote to memory of 1760 1456 cmd.exe 33 PID 1456 wrote to memory of 1760 1456 cmd.exe 33 PID 1456 wrote to memory of 1760 1456 cmd.exe 33 PID 1456 wrote to memory of 1760 1456 cmd.exe 33 PID 1456 wrote to memory of 1760 1456 cmd.exe 33 PID 1400 wrote to memory of 1808 1400 npp.8.4.8.Installer.x64.exe 34 PID 1400 wrote to memory of 1808 1400 npp.8.4.8.Installer.x64.exe 34 PID 1400 wrote to memory of 1808 1400 npp.8.4.8.Installer.x64.exe 34 PID 1400 wrote to memory of 1808 1400 npp.8.4.8.Installer.x64.exe 34 PID 1400 wrote to memory of 1808 1400 npp.8.4.8.Installer.x64.exe 34 PID 1400 wrote to memory of 1808 1400 npp.8.4.8.Installer.x64.exe 34 PID 1400 wrote to memory of 1808 1400 npp.8.4.8.Installer.x64.exe 34 PID 1808 wrote to memory of 1540 1808 cmd.exe 36 PID 1808 wrote to memory of 1540 1808 cmd.exe 36 PID 1808 wrote to memory of 1540 1808 cmd.exe 36 PID 1808 wrote to memory of 1540 1808 cmd.exe 36 PID 1808 wrote to memory of 1540 1808 cmd.exe 36 PID 1808 wrote to memory of 1540 1808 cmd.exe 36 PID 1808 wrote to memory of 1540 1808 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\npp.8.4.8.Installer.x64.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.4.8.Installer.x64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:1540
-
-