Analysis
-
max time kernel
90s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2023, 17:04
Behavioral task
behavioral1
Sample
Rufus_setup.exe
Resource
win7-20221111-en
4 signatures
150 seconds
General
-
Target
Rufus_setup.exe
-
Size
807.5MB
-
MD5
9b411930c0846d783adf3fe757e7a4cc
-
SHA1
1a6316c0fe7d52efb9812b44214a488f904f2ba8
-
SHA256
60f3105bb0be3b1b611e3d3e38f55e600292b0dcb887649315eb341cd66b3a50
-
SHA512
7d2126f9700d7807c2cde4987dbc0a4e22798400534776ed978f3317ab901cc0ff536e954de943b1fd22531155b7c602cbeb99f3b588fe9f2ec5c91c59bc77f8
-
SSDEEP
49152:3Bj9ybH3dYuRg6lJguwP4C2tq3lZ11tkCa45EHDKtGH5RDHW01k:2bHLRW4C2tOPEYGZRDY
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2264 wmic.exe Token: SeSecurityPrivilege 2264 wmic.exe Token: SeTakeOwnershipPrivilege 2264 wmic.exe Token: SeLoadDriverPrivilege 2264 wmic.exe Token: SeSystemProfilePrivilege 2264 wmic.exe Token: SeSystemtimePrivilege 2264 wmic.exe Token: SeProfSingleProcessPrivilege 2264 wmic.exe Token: SeIncBasePriorityPrivilege 2264 wmic.exe Token: SeCreatePagefilePrivilege 2264 wmic.exe Token: SeBackupPrivilege 2264 wmic.exe Token: SeRestorePrivilege 2264 wmic.exe Token: SeShutdownPrivilege 2264 wmic.exe Token: SeDebugPrivilege 2264 wmic.exe Token: SeSystemEnvironmentPrivilege 2264 wmic.exe Token: SeRemoteShutdownPrivilege 2264 wmic.exe Token: SeUndockPrivilege 2264 wmic.exe Token: SeManageVolumePrivilege 2264 wmic.exe Token: 33 2264 wmic.exe Token: 34 2264 wmic.exe Token: 35 2264 wmic.exe Token: 36 2264 wmic.exe Token: SeIncreaseQuotaPrivilege 2264 wmic.exe Token: SeSecurityPrivilege 2264 wmic.exe Token: SeTakeOwnershipPrivilege 2264 wmic.exe Token: SeLoadDriverPrivilege 2264 wmic.exe Token: SeSystemProfilePrivilege 2264 wmic.exe Token: SeSystemtimePrivilege 2264 wmic.exe Token: SeProfSingleProcessPrivilege 2264 wmic.exe Token: SeIncBasePriorityPrivilege 2264 wmic.exe Token: SeCreatePagefilePrivilege 2264 wmic.exe Token: SeBackupPrivilege 2264 wmic.exe Token: SeRestorePrivilege 2264 wmic.exe Token: SeShutdownPrivilege 2264 wmic.exe Token: SeDebugPrivilege 2264 wmic.exe Token: SeSystemEnvironmentPrivilege 2264 wmic.exe Token: SeRemoteShutdownPrivilege 2264 wmic.exe Token: SeUndockPrivilege 2264 wmic.exe Token: SeManageVolumePrivilege 2264 wmic.exe Token: 33 2264 wmic.exe Token: 34 2264 wmic.exe Token: 35 2264 wmic.exe Token: 36 2264 wmic.exe Token: SeIncreaseQuotaPrivilege 4480 WMIC.exe Token: SeSecurityPrivilege 4480 WMIC.exe Token: SeTakeOwnershipPrivilege 4480 WMIC.exe Token: SeLoadDriverPrivilege 4480 WMIC.exe Token: SeSystemProfilePrivilege 4480 WMIC.exe Token: SeSystemtimePrivilege 4480 WMIC.exe Token: SeProfSingleProcessPrivilege 4480 WMIC.exe Token: SeIncBasePriorityPrivilege 4480 WMIC.exe Token: SeCreatePagefilePrivilege 4480 WMIC.exe Token: SeBackupPrivilege 4480 WMIC.exe Token: SeRestorePrivilege 4480 WMIC.exe Token: SeShutdownPrivilege 4480 WMIC.exe Token: SeDebugPrivilege 4480 WMIC.exe Token: SeSystemEnvironmentPrivilege 4480 WMIC.exe Token: SeRemoteShutdownPrivilege 4480 WMIC.exe Token: SeUndockPrivilege 4480 WMIC.exe Token: SeManageVolumePrivilege 4480 WMIC.exe Token: 33 4480 WMIC.exe Token: 34 4480 WMIC.exe Token: 35 4480 WMIC.exe Token: 36 4480 WMIC.exe Token: SeIncreaseQuotaPrivilege 4480 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2264 2852 Rufus_setup.exe 83 PID 2852 wrote to memory of 2264 2852 Rufus_setup.exe 83 PID 2852 wrote to memory of 3080 2852 Rufus_setup.exe 85 PID 2852 wrote to memory of 3080 2852 Rufus_setup.exe 85 PID 3080 wrote to memory of 4480 3080 cmd.exe 87 PID 3080 wrote to memory of 4480 3080 cmd.exe 87 PID 2852 wrote to memory of 1072 2852 Rufus_setup.exe 88 PID 2852 wrote to memory of 1072 2852 Rufus_setup.exe 88 PID 1072 wrote to memory of 3332 1072 cmd.exe 90 PID 1072 wrote to memory of 3332 1072 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rufus_setup.exe"C:\Users\Admin\AppData\Local\Temp\Rufus_setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:3332
-
-