Analysis
-
max time kernel
15s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20/01/2023, 17:04
Behavioral task
behavioral1
Sample
Rufus_setup.exe
Resource
win7-20221111-en
4 signatures
150 seconds
General
-
Target
Rufus_setup.exe
-
Size
807.5MB
-
MD5
9b411930c0846d783adf3fe757e7a4cc
-
SHA1
1a6316c0fe7d52efb9812b44214a488f904f2ba8
-
SHA256
60f3105bb0be3b1b611e3d3e38f55e600292b0dcb887649315eb341cd66b3a50
-
SHA512
7d2126f9700d7807c2cde4987dbc0a4e22798400534776ed978f3317ab901cc0ff536e954de943b1fd22531155b7c602cbeb99f3b588fe9f2ec5c91c59bc77f8
-
SSDEEP
49152:3Bj9ybH3dYuRg6lJguwP4C2tq3lZ11tkCa45EHDKtGH5RDHW01k:2bHLRW4C2tOPEYGZRDY
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1216 wmic.exe Token: SeSecurityPrivilege 1216 wmic.exe Token: SeTakeOwnershipPrivilege 1216 wmic.exe Token: SeLoadDriverPrivilege 1216 wmic.exe Token: SeSystemProfilePrivilege 1216 wmic.exe Token: SeSystemtimePrivilege 1216 wmic.exe Token: SeProfSingleProcessPrivilege 1216 wmic.exe Token: SeIncBasePriorityPrivilege 1216 wmic.exe Token: SeCreatePagefilePrivilege 1216 wmic.exe Token: SeBackupPrivilege 1216 wmic.exe Token: SeRestorePrivilege 1216 wmic.exe Token: SeShutdownPrivilege 1216 wmic.exe Token: SeDebugPrivilege 1216 wmic.exe Token: SeSystemEnvironmentPrivilege 1216 wmic.exe Token: SeRemoteShutdownPrivilege 1216 wmic.exe Token: SeUndockPrivilege 1216 wmic.exe Token: SeManageVolumePrivilege 1216 wmic.exe Token: 33 1216 wmic.exe Token: 34 1216 wmic.exe Token: 35 1216 wmic.exe Token: SeIncreaseQuotaPrivilege 1216 wmic.exe Token: SeSecurityPrivilege 1216 wmic.exe Token: SeTakeOwnershipPrivilege 1216 wmic.exe Token: SeLoadDriverPrivilege 1216 wmic.exe Token: SeSystemProfilePrivilege 1216 wmic.exe Token: SeSystemtimePrivilege 1216 wmic.exe Token: SeProfSingleProcessPrivilege 1216 wmic.exe Token: SeIncBasePriorityPrivilege 1216 wmic.exe Token: SeCreatePagefilePrivilege 1216 wmic.exe Token: SeBackupPrivilege 1216 wmic.exe Token: SeRestorePrivilege 1216 wmic.exe Token: SeShutdownPrivilege 1216 wmic.exe Token: SeDebugPrivilege 1216 wmic.exe Token: SeSystemEnvironmentPrivilege 1216 wmic.exe Token: SeRemoteShutdownPrivilege 1216 wmic.exe Token: SeUndockPrivilege 1216 wmic.exe Token: SeManageVolumePrivilege 1216 wmic.exe Token: 33 1216 wmic.exe Token: 34 1216 wmic.exe Token: 35 1216 wmic.exe Token: SeIncreaseQuotaPrivilege 1584 WMIC.exe Token: SeSecurityPrivilege 1584 WMIC.exe Token: SeTakeOwnershipPrivilege 1584 WMIC.exe Token: SeLoadDriverPrivilege 1584 WMIC.exe Token: SeSystemProfilePrivilege 1584 WMIC.exe Token: SeSystemtimePrivilege 1584 WMIC.exe Token: SeProfSingleProcessPrivilege 1584 WMIC.exe Token: SeIncBasePriorityPrivilege 1584 WMIC.exe Token: SeCreatePagefilePrivilege 1584 WMIC.exe Token: SeBackupPrivilege 1584 WMIC.exe Token: SeRestorePrivilege 1584 WMIC.exe Token: SeShutdownPrivilege 1584 WMIC.exe Token: SeDebugPrivilege 1584 WMIC.exe Token: SeSystemEnvironmentPrivilege 1584 WMIC.exe Token: SeRemoteShutdownPrivilege 1584 WMIC.exe Token: SeUndockPrivilege 1584 WMIC.exe Token: SeManageVolumePrivilege 1584 WMIC.exe Token: 33 1584 WMIC.exe Token: 34 1584 WMIC.exe Token: 35 1584 WMIC.exe Token: SeIncreaseQuotaPrivilege 1584 WMIC.exe Token: SeSecurityPrivilege 1584 WMIC.exe Token: SeTakeOwnershipPrivilege 1584 WMIC.exe Token: SeLoadDriverPrivilege 1584 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1152 wrote to memory of 1216 1152 Rufus_setup.exe 28 PID 1152 wrote to memory of 1216 1152 Rufus_setup.exe 28 PID 1152 wrote to memory of 1216 1152 Rufus_setup.exe 28 PID 1152 wrote to memory of 1480 1152 Rufus_setup.exe 31 PID 1152 wrote to memory of 1480 1152 Rufus_setup.exe 31 PID 1152 wrote to memory of 1480 1152 Rufus_setup.exe 31 PID 1480 wrote to memory of 1584 1480 cmd.exe 33 PID 1480 wrote to memory of 1584 1480 cmd.exe 33 PID 1480 wrote to memory of 1584 1480 cmd.exe 33 PID 1152 wrote to memory of 284 1152 Rufus_setup.exe 34 PID 1152 wrote to memory of 284 1152 Rufus_setup.exe 34 PID 1152 wrote to memory of 284 1152 Rufus_setup.exe 34 PID 284 wrote to memory of 1380 284 cmd.exe 36 PID 284 wrote to memory of 1380 284 cmd.exe 36 PID 284 wrote to memory of 1380 284 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rufus_setup.exe"C:\Users\Admin\AppData\Local\Temp\Rufus_setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:1380
-
-