Analysis
-
max time kernel
17s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2023, 15:32
Behavioral task
behavioral1
Sample
battle_net.exe
Resource
win7-20220901-en
7 signatures
150 seconds
General
-
Target
battle_net.exe
-
Size
272.4MB
-
MD5
bf4959547d8735d468dd21e2b66d17a8
-
SHA1
df743097f6be2ab02bb1c3e162f29c70d6b1d1d8
-
SHA256
44b64cb2be0a5e9fd51528f00a308df71ead226c7cf733ed2568ada07c9044a8
-
SHA512
1c17f986fb04200e51cda150c4b7dd7da826568c84d6fd7a5b4f0861edee9c3f301c6417a4fd30950379d288ab39ee57428bfefcb231b534f9fd3b82acf93301
-
SSDEEP
49152:7VPS+54ybpRHV/jeNTpGktKDJ3MDvXIFRBMgUQyKQartOJU63D02F1yNw:7JS44ybfRjHFMgMJU/N
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3788 wmic.exe Token: SeSecurityPrivilege 3788 wmic.exe Token: SeTakeOwnershipPrivilege 3788 wmic.exe Token: SeLoadDriverPrivilege 3788 wmic.exe Token: SeSystemProfilePrivilege 3788 wmic.exe Token: SeSystemtimePrivilege 3788 wmic.exe Token: SeProfSingleProcessPrivilege 3788 wmic.exe Token: SeIncBasePriorityPrivilege 3788 wmic.exe Token: SeCreatePagefilePrivilege 3788 wmic.exe Token: SeBackupPrivilege 3788 wmic.exe Token: SeRestorePrivilege 3788 wmic.exe Token: SeShutdownPrivilege 3788 wmic.exe Token: SeDebugPrivilege 3788 wmic.exe Token: SeSystemEnvironmentPrivilege 3788 wmic.exe Token: SeRemoteShutdownPrivilege 3788 wmic.exe Token: SeUndockPrivilege 3788 wmic.exe Token: SeManageVolumePrivilege 3788 wmic.exe Token: 33 3788 wmic.exe Token: 34 3788 wmic.exe Token: 35 3788 wmic.exe Token: 36 3788 wmic.exe Token: SeIncreaseQuotaPrivilege 3788 wmic.exe Token: SeSecurityPrivilege 3788 wmic.exe Token: SeTakeOwnershipPrivilege 3788 wmic.exe Token: SeLoadDriverPrivilege 3788 wmic.exe Token: SeSystemProfilePrivilege 3788 wmic.exe Token: SeSystemtimePrivilege 3788 wmic.exe Token: SeProfSingleProcessPrivilege 3788 wmic.exe Token: SeIncBasePriorityPrivilege 3788 wmic.exe Token: SeCreatePagefilePrivilege 3788 wmic.exe Token: SeBackupPrivilege 3788 wmic.exe Token: SeRestorePrivilege 3788 wmic.exe Token: SeShutdownPrivilege 3788 wmic.exe Token: SeDebugPrivilege 3788 wmic.exe Token: SeSystemEnvironmentPrivilege 3788 wmic.exe Token: SeRemoteShutdownPrivilege 3788 wmic.exe Token: SeUndockPrivilege 3788 wmic.exe Token: SeManageVolumePrivilege 3788 wmic.exe Token: 33 3788 wmic.exe Token: 34 3788 wmic.exe Token: 35 3788 wmic.exe Token: 36 3788 wmic.exe Token: SeIncreaseQuotaPrivilege 4168 WMIC.exe Token: SeSecurityPrivilege 4168 WMIC.exe Token: SeTakeOwnershipPrivilege 4168 WMIC.exe Token: SeLoadDriverPrivilege 4168 WMIC.exe Token: SeSystemProfilePrivilege 4168 WMIC.exe Token: SeSystemtimePrivilege 4168 WMIC.exe Token: SeProfSingleProcessPrivilege 4168 WMIC.exe Token: SeIncBasePriorityPrivilege 4168 WMIC.exe Token: SeCreatePagefilePrivilege 4168 WMIC.exe Token: SeBackupPrivilege 4168 WMIC.exe Token: SeRestorePrivilege 4168 WMIC.exe Token: SeShutdownPrivilege 4168 WMIC.exe Token: SeDebugPrivilege 4168 WMIC.exe Token: SeSystemEnvironmentPrivilege 4168 WMIC.exe Token: SeRemoteShutdownPrivilege 4168 WMIC.exe Token: SeUndockPrivilege 4168 WMIC.exe Token: SeManageVolumePrivilege 4168 WMIC.exe Token: 33 4168 WMIC.exe Token: 34 4168 WMIC.exe Token: 35 4168 WMIC.exe Token: 36 4168 WMIC.exe Token: SeIncreaseQuotaPrivilege 4168 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 900 wrote to memory of 3788 900 battle_net.exe 81 PID 900 wrote to memory of 3788 900 battle_net.exe 81 PID 900 wrote to memory of 3788 900 battle_net.exe 81 PID 900 wrote to memory of 4276 900 battle_net.exe 83 PID 900 wrote to memory of 4276 900 battle_net.exe 83 PID 900 wrote to memory of 4276 900 battle_net.exe 83 PID 4276 wrote to memory of 4168 4276 cmd.exe 85 PID 4276 wrote to memory of 4168 4276 cmd.exe 85 PID 4276 wrote to memory of 4168 4276 cmd.exe 85 PID 900 wrote to memory of 5024 900 battle_net.exe 86 PID 900 wrote to memory of 5024 900 battle_net.exe 86 PID 900 wrote to memory of 5024 900 battle_net.exe 86 PID 5024 wrote to memory of 4072 5024 cmd.exe 88 PID 5024 wrote to memory of 4072 5024 cmd.exe 88 PID 5024 wrote to memory of 4072 5024 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\battle_net.exe"C:\Users\Admin\AppData\Local\Temp\battle_net.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:4072
-
-