Analysis
-
max time kernel
30s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21/01/2023, 20:10
Static task
static1
Behavioral task
behavioral1
Sample
Tradingview_Plus_cln.exe
Resource
win7-20221111-en
General
-
Target
Tradingview_Plus_cln.exe
-
Size
11.9MB
-
MD5
12c55a2c344ec1c33daf7ae427b7c5e5
-
SHA1
f1e6680e7591180cbb2d56b17b60a328d155042e
-
SHA256
cff56386e4dcfec706cfd98b2590109589904ec8404160fa4b890d3106f2e339
-
SHA512
904e3ec7110d5da938be5748abc2d7694e5d1f46eda45a9b64434d7b5c5bd1bc632448e066b8e8d37c75154d89203b1c3fe5d1d363dd204197f97a153c859b0a
-
SSDEEP
98304:zB2WCqo07EZxOCKQJNR05epDuhY7Nv7j3RxOzPcDY8dmme54bcL9iA:zIWpT7EiQJP05epDvv7j3S0jdKL9d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1852 sakjdhasdkj.exe -
Loads dropped DLL 2 IoCs
pid Process 1488 Tradingview_Plus_cln.exe 1488 Tradingview_Plus_cln.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1016 wmic.exe Token: SeSecurityPrivilege 1016 wmic.exe Token: SeTakeOwnershipPrivilege 1016 wmic.exe Token: SeLoadDriverPrivilege 1016 wmic.exe Token: SeSystemProfilePrivilege 1016 wmic.exe Token: SeSystemtimePrivilege 1016 wmic.exe Token: SeProfSingleProcessPrivilege 1016 wmic.exe Token: SeIncBasePriorityPrivilege 1016 wmic.exe Token: SeCreatePagefilePrivilege 1016 wmic.exe Token: SeBackupPrivilege 1016 wmic.exe Token: SeRestorePrivilege 1016 wmic.exe Token: SeShutdownPrivilege 1016 wmic.exe Token: SeDebugPrivilege 1016 wmic.exe Token: SeSystemEnvironmentPrivilege 1016 wmic.exe Token: SeRemoteShutdownPrivilege 1016 wmic.exe Token: SeUndockPrivilege 1016 wmic.exe Token: SeManageVolumePrivilege 1016 wmic.exe Token: 33 1016 wmic.exe Token: 34 1016 wmic.exe Token: 35 1016 wmic.exe Token: SeIncreaseQuotaPrivilege 1016 wmic.exe Token: SeSecurityPrivilege 1016 wmic.exe Token: SeTakeOwnershipPrivilege 1016 wmic.exe Token: SeLoadDriverPrivilege 1016 wmic.exe Token: SeSystemProfilePrivilege 1016 wmic.exe Token: SeSystemtimePrivilege 1016 wmic.exe Token: SeProfSingleProcessPrivilege 1016 wmic.exe Token: SeIncBasePriorityPrivilege 1016 wmic.exe Token: SeCreatePagefilePrivilege 1016 wmic.exe Token: SeBackupPrivilege 1016 wmic.exe Token: SeRestorePrivilege 1016 wmic.exe Token: SeShutdownPrivilege 1016 wmic.exe Token: SeDebugPrivilege 1016 wmic.exe Token: SeSystemEnvironmentPrivilege 1016 wmic.exe Token: SeRemoteShutdownPrivilege 1016 wmic.exe Token: SeUndockPrivilege 1016 wmic.exe Token: SeManageVolumePrivilege 1016 wmic.exe Token: 33 1016 wmic.exe Token: 34 1016 wmic.exe Token: 35 1016 wmic.exe Token: SeIncreaseQuotaPrivilege 1692 WMIC.exe Token: SeSecurityPrivilege 1692 WMIC.exe Token: SeTakeOwnershipPrivilege 1692 WMIC.exe Token: SeLoadDriverPrivilege 1692 WMIC.exe Token: SeSystemProfilePrivilege 1692 WMIC.exe Token: SeSystemtimePrivilege 1692 WMIC.exe Token: SeProfSingleProcessPrivilege 1692 WMIC.exe Token: SeIncBasePriorityPrivilege 1692 WMIC.exe Token: SeCreatePagefilePrivilege 1692 WMIC.exe Token: SeBackupPrivilege 1692 WMIC.exe Token: SeRestorePrivilege 1692 WMIC.exe Token: SeShutdownPrivilege 1692 WMIC.exe Token: SeDebugPrivilege 1692 WMIC.exe Token: SeSystemEnvironmentPrivilege 1692 WMIC.exe Token: SeRemoteShutdownPrivilege 1692 WMIC.exe Token: SeUndockPrivilege 1692 WMIC.exe Token: SeManageVolumePrivilege 1692 WMIC.exe Token: 33 1692 WMIC.exe Token: 34 1692 WMIC.exe Token: 35 1692 WMIC.exe Token: SeIncreaseQuotaPrivilege 1692 WMIC.exe Token: SeSecurityPrivilege 1692 WMIC.exe Token: SeTakeOwnershipPrivilege 1692 WMIC.exe Token: SeLoadDriverPrivilege 1692 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1852 1488 Tradingview_Plus_cln.exe 28 PID 1488 wrote to memory of 1852 1488 Tradingview_Plus_cln.exe 28 PID 1488 wrote to memory of 1852 1488 Tradingview_Plus_cln.exe 28 PID 1852 wrote to memory of 1016 1852 sakjdhasdkj.exe 29 PID 1852 wrote to memory of 1016 1852 sakjdhasdkj.exe 29 PID 1852 wrote to memory of 1016 1852 sakjdhasdkj.exe 29 PID 1852 wrote to memory of 804 1852 sakjdhasdkj.exe 32 PID 1852 wrote to memory of 804 1852 sakjdhasdkj.exe 32 PID 1852 wrote to memory of 804 1852 sakjdhasdkj.exe 32 PID 804 wrote to memory of 1692 804 cmd.exe 34 PID 804 wrote to memory of 1692 804 cmd.exe 34 PID 804 wrote to memory of 1692 804 cmd.exe 34 PID 1852 wrote to memory of 1640 1852 sakjdhasdkj.exe 35 PID 1852 wrote to memory of 1640 1852 sakjdhasdkj.exe 35 PID 1852 wrote to memory of 1640 1852 sakjdhasdkj.exe 35 PID 1640 wrote to memory of 904 1640 cmd.exe 37 PID 1640 wrote to memory of 904 1640 cmd.exe 37 PID 1640 wrote to memory of 904 1640 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe"C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵PID:904
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD59b6a95488caf9f998ee001cf188d50ca
SHA1bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598
-
Filesize
4.4MB
MD59b6a95488caf9f998ee001cf188d50ca
SHA1bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598
-
Filesize
4.4MB
MD59b6a95488caf9f998ee001cf188d50ca
SHA1bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598