Analysis
-
max time kernel
294s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2023, 17:40
General
-
Target
Rufus_setup.exe
-
Size
807.5MB
-
MD5
9b411930c0846d783adf3fe757e7a4cc
-
SHA1
1a6316c0fe7d52efb9812b44214a488f904f2ba8
-
SHA256
60f3105bb0be3b1b611e3d3e38f55e600292b0dcb887649315eb341cd66b3a50
-
SHA512
7d2126f9700d7807c2cde4987dbc0a4e22798400534776ed978f3317ab901cc0ff536e954de943b1fd22531155b7c602cbeb99f3b588fe9f2ec5c91c59bc77f8
-
SSDEEP
49152:3Bj9ybH3dYuRg6lJguwP4C2tq3lZ11tkCa45EHDKtGH5RDHW01k:2bHLRW4C2tOPEYGZRDY
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 1 IoCs
pid pid_target Process procid_target 2264 3108 WerFault.exe 24 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3424 wmic.exe Token: SeSecurityPrivilege 3424 wmic.exe Token: SeTakeOwnershipPrivilege 3424 wmic.exe Token: SeLoadDriverPrivilege 3424 wmic.exe Token: SeSystemProfilePrivilege 3424 wmic.exe Token: SeSystemtimePrivilege 3424 wmic.exe Token: SeProfSingleProcessPrivilege 3424 wmic.exe Token: SeIncBasePriorityPrivilege 3424 wmic.exe Token: SeCreatePagefilePrivilege 3424 wmic.exe Token: SeBackupPrivilege 3424 wmic.exe Token: SeRestorePrivilege 3424 wmic.exe Token: SeShutdownPrivilege 3424 wmic.exe Token: SeDebugPrivilege 3424 wmic.exe Token: SeSystemEnvironmentPrivilege 3424 wmic.exe Token: SeRemoteShutdownPrivilege 3424 wmic.exe Token: SeUndockPrivilege 3424 wmic.exe Token: SeManageVolumePrivilege 3424 wmic.exe Token: 33 3424 wmic.exe Token: 34 3424 wmic.exe Token: 35 3424 wmic.exe Token: 36 3424 wmic.exe Token: SeIncreaseQuotaPrivilege 3424 wmic.exe Token: SeSecurityPrivilege 3424 wmic.exe Token: SeTakeOwnershipPrivilege 3424 wmic.exe Token: SeLoadDriverPrivilege 3424 wmic.exe Token: SeSystemProfilePrivilege 3424 wmic.exe Token: SeSystemtimePrivilege 3424 wmic.exe Token: SeProfSingleProcessPrivilege 3424 wmic.exe Token: SeIncBasePriorityPrivilege 3424 wmic.exe Token: SeCreatePagefilePrivilege 3424 wmic.exe Token: SeBackupPrivilege 3424 wmic.exe Token: SeRestorePrivilege 3424 wmic.exe Token: SeShutdownPrivilege 3424 wmic.exe Token: SeDebugPrivilege 3424 wmic.exe Token: SeSystemEnvironmentPrivilege 3424 wmic.exe Token: SeRemoteShutdownPrivilege 3424 wmic.exe Token: SeUndockPrivilege 3424 wmic.exe Token: SeManageVolumePrivilege 3424 wmic.exe Token: 33 3424 wmic.exe Token: 34 3424 wmic.exe Token: 35 3424 wmic.exe Token: 36 3424 wmic.exe Token: SeIncreaseQuotaPrivilege 688 WMIC.exe Token: SeSecurityPrivilege 688 WMIC.exe Token: SeTakeOwnershipPrivilege 688 WMIC.exe Token: SeLoadDriverPrivilege 688 WMIC.exe Token: SeSystemProfilePrivilege 688 WMIC.exe Token: SeSystemtimePrivilege 688 WMIC.exe Token: SeProfSingleProcessPrivilege 688 WMIC.exe Token: SeIncBasePriorityPrivilege 688 WMIC.exe Token: SeCreatePagefilePrivilege 688 WMIC.exe Token: SeBackupPrivilege 688 WMIC.exe Token: SeRestorePrivilege 688 WMIC.exe Token: SeShutdownPrivilege 688 WMIC.exe Token: SeDebugPrivilege 688 WMIC.exe Token: SeSystemEnvironmentPrivilege 688 WMIC.exe Token: SeRemoteShutdownPrivilege 688 WMIC.exe Token: SeUndockPrivilege 688 WMIC.exe Token: SeManageVolumePrivilege 688 WMIC.exe Token: 33 688 WMIC.exe Token: 34 688 WMIC.exe Token: 35 688 WMIC.exe Token: 36 688 WMIC.exe Token: SeIncreaseQuotaPrivilege 688 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4824 wrote to memory of 3424 4824 Rufus_setup.exe 82 PID 4824 wrote to memory of 3424 4824 Rufus_setup.exe 82 PID 4824 wrote to memory of 4196 4824 Rufus_setup.exe 84 PID 4824 wrote to memory of 4196 4824 Rufus_setup.exe 84 PID 4196 wrote to memory of 688 4196 cmd.exe 87 PID 4196 wrote to memory of 688 4196 cmd.exe 87 PID 4824 wrote to memory of 224 4824 Rufus_setup.exe 89 PID 4824 wrote to memory of 224 4824 Rufus_setup.exe 89 PID 224 wrote to memory of 3504 224 cmd.exe 92 PID 224 wrote to memory of 3504 224 cmd.exe 92 PID 1252 wrote to memory of 4972 1252 Rufus_setup.exe 103 PID 1252 wrote to memory of 4972 1252 Rufus_setup.exe 103 PID 1252 wrote to memory of 2120 1252 Rufus_setup.exe 105 PID 1252 wrote to memory of 2120 1252 Rufus_setup.exe 105 PID 2120 wrote to memory of 4956 2120 cmd.exe 107 PID 2120 wrote to memory of 4956 2120 cmd.exe 107 PID 1252 wrote to memory of 752 1252 Rufus_setup.exe 108 PID 1252 wrote to memory of 752 1252 Rufus_setup.exe 108 PID 752 wrote to memory of 4160 752 cmd.exe 110 PID 752 wrote to memory of 4160 752 cmd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rufus_setup.exe"C:\Users\Admin\AppData\Local\Temp\Rufus_setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:3504
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 3108 -ip 31081⤵PID:3460
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3108 -s 16281⤵
- Program crash
PID:2264
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\Rufus_setup.exe"C:\Users\Admin\AppData\Local\Temp\Rufus_setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵PID:4972
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵PID:4956
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:4160
-
-