Analysis
-
max time kernel
63s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2023, 20:10
Static task
static1
Behavioral task
behavioral1
Sample
Tradingview_Plus_cln.exe
Resource
win7-20221111-en
General
-
Target
Tradingview_Plus_cln.exe
-
Size
11.9MB
-
MD5
12c55a2c344ec1c33daf7ae427b7c5e5
-
SHA1
f1e6680e7591180cbb2d56b17b60a328d155042e
-
SHA256
cff56386e4dcfec706cfd98b2590109589904ec8404160fa4b890d3106f2e339
-
SHA512
904e3ec7110d5da938be5748abc2d7694e5d1f46eda45a9b64434d7b5c5bd1bc632448e066b8e8d37c75154d89203b1c3fe5d1d363dd204197f97a153c859b0a
-
SSDEEP
98304:zB2WCqo07EZxOCKQJNR05epDuhY7Nv7j3RxOzPcDY8dmme54bcL9iA:zIWpT7EiQJP05epDvv7j3S0jdKL9d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3080 sakjdhasdkj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Tradingview_Plus_cln.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3724 wmic.exe Token: SeSecurityPrivilege 3724 wmic.exe Token: SeTakeOwnershipPrivilege 3724 wmic.exe Token: SeLoadDriverPrivilege 3724 wmic.exe Token: SeSystemProfilePrivilege 3724 wmic.exe Token: SeSystemtimePrivilege 3724 wmic.exe Token: SeProfSingleProcessPrivilege 3724 wmic.exe Token: SeIncBasePriorityPrivilege 3724 wmic.exe Token: SeCreatePagefilePrivilege 3724 wmic.exe Token: SeBackupPrivilege 3724 wmic.exe Token: SeRestorePrivilege 3724 wmic.exe Token: SeShutdownPrivilege 3724 wmic.exe Token: SeDebugPrivilege 3724 wmic.exe Token: SeSystemEnvironmentPrivilege 3724 wmic.exe Token: SeRemoteShutdownPrivilege 3724 wmic.exe Token: SeUndockPrivilege 3724 wmic.exe Token: SeManageVolumePrivilege 3724 wmic.exe Token: 33 3724 wmic.exe Token: 34 3724 wmic.exe Token: 35 3724 wmic.exe Token: 36 3724 wmic.exe Token: SeIncreaseQuotaPrivilege 3724 wmic.exe Token: SeSecurityPrivilege 3724 wmic.exe Token: SeTakeOwnershipPrivilege 3724 wmic.exe Token: SeLoadDriverPrivilege 3724 wmic.exe Token: SeSystemProfilePrivilege 3724 wmic.exe Token: SeSystemtimePrivilege 3724 wmic.exe Token: SeProfSingleProcessPrivilege 3724 wmic.exe Token: SeIncBasePriorityPrivilege 3724 wmic.exe Token: SeCreatePagefilePrivilege 3724 wmic.exe Token: SeBackupPrivilege 3724 wmic.exe Token: SeRestorePrivilege 3724 wmic.exe Token: SeShutdownPrivilege 3724 wmic.exe Token: SeDebugPrivilege 3724 wmic.exe Token: SeSystemEnvironmentPrivilege 3724 wmic.exe Token: SeRemoteShutdownPrivilege 3724 wmic.exe Token: SeUndockPrivilege 3724 wmic.exe Token: SeManageVolumePrivilege 3724 wmic.exe Token: 33 3724 wmic.exe Token: 34 3724 wmic.exe Token: 35 3724 wmic.exe Token: 36 3724 wmic.exe Token: SeIncreaseQuotaPrivilege 3208 WMIC.exe Token: SeSecurityPrivilege 3208 WMIC.exe Token: SeTakeOwnershipPrivilege 3208 WMIC.exe Token: SeLoadDriverPrivilege 3208 WMIC.exe Token: SeSystemProfilePrivilege 3208 WMIC.exe Token: SeSystemtimePrivilege 3208 WMIC.exe Token: SeProfSingleProcessPrivilege 3208 WMIC.exe Token: SeIncBasePriorityPrivilege 3208 WMIC.exe Token: SeCreatePagefilePrivilege 3208 WMIC.exe Token: SeBackupPrivilege 3208 WMIC.exe Token: SeRestorePrivilege 3208 WMIC.exe Token: SeShutdownPrivilege 3208 WMIC.exe Token: SeDebugPrivilege 3208 WMIC.exe Token: SeSystemEnvironmentPrivilege 3208 WMIC.exe Token: SeRemoteShutdownPrivilege 3208 WMIC.exe Token: SeUndockPrivilege 3208 WMIC.exe Token: SeManageVolumePrivilege 3208 WMIC.exe Token: 33 3208 WMIC.exe Token: 34 3208 WMIC.exe Token: 35 3208 WMIC.exe Token: 36 3208 WMIC.exe Token: SeIncreaseQuotaPrivilege 3208 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4656 wrote to memory of 3080 4656 Tradingview_Plus_cln.exe 81 PID 4656 wrote to memory of 3080 4656 Tradingview_Plus_cln.exe 81 PID 3080 wrote to memory of 3724 3080 sakjdhasdkj.exe 82 PID 3080 wrote to memory of 3724 3080 sakjdhasdkj.exe 82 PID 3080 wrote to memory of 4892 3080 sakjdhasdkj.exe 84 PID 3080 wrote to memory of 4892 3080 sakjdhasdkj.exe 84 PID 4892 wrote to memory of 3208 4892 cmd.exe 86 PID 4892 wrote to memory of 3208 4892 cmd.exe 86 PID 3080 wrote to memory of 5060 3080 sakjdhasdkj.exe 87 PID 3080 wrote to memory of 5060 3080 sakjdhasdkj.exe 87 PID 5060 wrote to memory of 3964 5060 cmd.exe 89 PID 5060 wrote to memory of 3964 5060 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe"C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵PID:3964
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD59b6a95488caf9f998ee001cf188d50ca
SHA1bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598
-
Filesize
4.4MB
MD59b6a95488caf9f998ee001cf188d50ca
SHA1bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598