Analysis
-
max time kernel
26s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21/01/2023, 20:14
Static task
static1
Behavioral task
behavioral1
Sample
Tradingview_Plus_cln.exe
Resource
win7-20221111-en
General
-
Target
Tradingview_Plus_cln.exe
-
Size
11.9MB
-
MD5
12c55a2c344ec1c33daf7ae427b7c5e5
-
SHA1
f1e6680e7591180cbb2d56b17b60a328d155042e
-
SHA256
cff56386e4dcfec706cfd98b2590109589904ec8404160fa4b890d3106f2e339
-
SHA512
904e3ec7110d5da938be5748abc2d7694e5d1f46eda45a9b64434d7b5c5bd1bc632448e066b8e8d37c75154d89203b1c3fe5d1d363dd204197f97a153c859b0a
-
SSDEEP
98304:zB2WCqo07EZxOCKQJNR05epDuhY7Nv7j3RxOzPcDY8dmme54bcL9iA:zIWpT7EiQJP05epDvv7j3S0jdKL9d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 364 sakjdhasdkj.exe -
Loads dropped DLL 2 IoCs
pid Process 1292 Tradingview_Plus_cln.exe 1292 Tradingview_Plus_cln.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 696 wmic.exe Token: SeSecurityPrivilege 696 wmic.exe Token: SeTakeOwnershipPrivilege 696 wmic.exe Token: SeLoadDriverPrivilege 696 wmic.exe Token: SeSystemProfilePrivilege 696 wmic.exe Token: SeSystemtimePrivilege 696 wmic.exe Token: SeProfSingleProcessPrivilege 696 wmic.exe Token: SeIncBasePriorityPrivilege 696 wmic.exe Token: SeCreatePagefilePrivilege 696 wmic.exe Token: SeBackupPrivilege 696 wmic.exe Token: SeRestorePrivilege 696 wmic.exe Token: SeShutdownPrivilege 696 wmic.exe Token: SeDebugPrivilege 696 wmic.exe Token: SeSystemEnvironmentPrivilege 696 wmic.exe Token: SeRemoteShutdownPrivilege 696 wmic.exe Token: SeUndockPrivilege 696 wmic.exe Token: SeManageVolumePrivilege 696 wmic.exe Token: 33 696 wmic.exe Token: 34 696 wmic.exe Token: 35 696 wmic.exe Token: SeIncreaseQuotaPrivilege 696 wmic.exe Token: SeSecurityPrivilege 696 wmic.exe Token: SeTakeOwnershipPrivilege 696 wmic.exe Token: SeLoadDriverPrivilege 696 wmic.exe Token: SeSystemProfilePrivilege 696 wmic.exe Token: SeSystemtimePrivilege 696 wmic.exe Token: SeProfSingleProcessPrivilege 696 wmic.exe Token: SeIncBasePriorityPrivilege 696 wmic.exe Token: SeCreatePagefilePrivilege 696 wmic.exe Token: SeBackupPrivilege 696 wmic.exe Token: SeRestorePrivilege 696 wmic.exe Token: SeShutdownPrivilege 696 wmic.exe Token: SeDebugPrivilege 696 wmic.exe Token: SeSystemEnvironmentPrivilege 696 wmic.exe Token: SeRemoteShutdownPrivilege 696 wmic.exe Token: SeUndockPrivilege 696 wmic.exe Token: SeManageVolumePrivilege 696 wmic.exe Token: 33 696 wmic.exe Token: 34 696 wmic.exe Token: 35 696 wmic.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe Token: SeSystemProfilePrivilege 1768 WMIC.exe Token: SeSystemtimePrivilege 1768 WMIC.exe Token: SeProfSingleProcessPrivilege 1768 WMIC.exe Token: SeIncBasePriorityPrivilege 1768 WMIC.exe Token: SeCreatePagefilePrivilege 1768 WMIC.exe Token: SeBackupPrivilege 1768 WMIC.exe Token: SeRestorePrivilege 1768 WMIC.exe Token: SeShutdownPrivilege 1768 WMIC.exe Token: SeDebugPrivilege 1768 WMIC.exe Token: SeSystemEnvironmentPrivilege 1768 WMIC.exe Token: SeRemoteShutdownPrivilege 1768 WMIC.exe Token: SeUndockPrivilege 1768 WMIC.exe Token: SeManageVolumePrivilege 1768 WMIC.exe Token: 33 1768 WMIC.exe Token: 34 1768 WMIC.exe Token: 35 1768 WMIC.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1292 wrote to memory of 364 1292 Tradingview_Plus_cln.exe 28 PID 1292 wrote to memory of 364 1292 Tradingview_Plus_cln.exe 28 PID 1292 wrote to memory of 364 1292 Tradingview_Plus_cln.exe 28 PID 364 wrote to memory of 696 364 sakjdhasdkj.exe 29 PID 364 wrote to memory of 696 364 sakjdhasdkj.exe 29 PID 364 wrote to memory of 696 364 sakjdhasdkj.exe 29 PID 364 wrote to memory of 1800 364 sakjdhasdkj.exe 32 PID 364 wrote to memory of 1800 364 sakjdhasdkj.exe 32 PID 364 wrote to memory of 1800 364 sakjdhasdkj.exe 32 PID 1800 wrote to memory of 1768 1800 cmd.exe 34 PID 1800 wrote to memory of 1768 1800 cmd.exe 34 PID 1800 wrote to memory of 1768 1800 cmd.exe 34 PID 364 wrote to memory of 1572 364 sakjdhasdkj.exe 35 PID 364 wrote to memory of 1572 364 sakjdhasdkj.exe 35 PID 364 wrote to memory of 1572 364 sakjdhasdkj.exe 35 PID 1572 wrote to memory of 1452 1572 cmd.exe 37 PID 1572 wrote to memory of 1452 1572 cmd.exe 37 PID 1572 wrote to memory of 1452 1572 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe"C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵PID:1452
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD59b6a95488caf9f998ee001cf188d50ca
SHA1bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598
-
Filesize
4.4MB
MD59b6a95488caf9f998ee001cf188d50ca
SHA1bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598
-
Filesize
4.4MB
MD59b6a95488caf9f998ee001cf188d50ca
SHA1bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598