Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2023, 20:14
Static task
static1
Behavioral task
behavioral1
Sample
Tradingview_Plus_cln.exe
Resource
win7-20221111-en
General
-
Target
Tradingview_Plus_cln.exe
-
Size
11.9MB
-
MD5
12c55a2c344ec1c33daf7ae427b7c5e5
-
SHA1
f1e6680e7591180cbb2d56b17b60a328d155042e
-
SHA256
cff56386e4dcfec706cfd98b2590109589904ec8404160fa4b890d3106f2e339
-
SHA512
904e3ec7110d5da938be5748abc2d7694e5d1f46eda45a9b64434d7b5c5bd1bc632448e066b8e8d37c75154d89203b1c3fe5d1d363dd204197f97a153c859b0a
-
SSDEEP
98304:zB2WCqo07EZxOCKQJNR05epDuhY7Nv7j3RxOzPcDY8dmme54bcL9iA:zIWpT7EiQJP05epDvv7j3S0jdKL9d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 504 sakjdhasdkj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Tradingview_Plus_cln.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1032 wmic.exe Token: SeSecurityPrivilege 1032 wmic.exe Token: SeTakeOwnershipPrivilege 1032 wmic.exe Token: SeLoadDriverPrivilege 1032 wmic.exe Token: SeSystemProfilePrivilege 1032 wmic.exe Token: SeSystemtimePrivilege 1032 wmic.exe Token: SeProfSingleProcessPrivilege 1032 wmic.exe Token: SeIncBasePriorityPrivilege 1032 wmic.exe Token: SeCreatePagefilePrivilege 1032 wmic.exe Token: SeBackupPrivilege 1032 wmic.exe Token: SeRestorePrivilege 1032 wmic.exe Token: SeShutdownPrivilege 1032 wmic.exe Token: SeDebugPrivilege 1032 wmic.exe Token: SeSystemEnvironmentPrivilege 1032 wmic.exe Token: SeRemoteShutdownPrivilege 1032 wmic.exe Token: SeUndockPrivilege 1032 wmic.exe Token: SeManageVolumePrivilege 1032 wmic.exe Token: 33 1032 wmic.exe Token: 34 1032 wmic.exe Token: 35 1032 wmic.exe Token: 36 1032 wmic.exe Token: SeIncreaseQuotaPrivilege 1032 wmic.exe Token: SeSecurityPrivilege 1032 wmic.exe Token: SeTakeOwnershipPrivilege 1032 wmic.exe Token: SeLoadDriverPrivilege 1032 wmic.exe Token: SeSystemProfilePrivilege 1032 wmic.exe Token: SeSystemtimePrivilege 1032 wmic.exe Token: SeProfSingleProcessPrivilege 1032 wmic.exe Token: SeIncBasePriorityPrivilege 1032 wmic.exe Token: SeCreatePagefilePrivilege 1032 wmic.exe Token: SeBackupPrivilege 1032 wmic.exe Token: SeRestorePrivilege 1032 wmic.exe Token: SeShutdownPrivilege 1032 wmic.exe Token: SeDebugPrivilege 1032 wmic.exe Token: SeSystemEnvironmentPrivilege 1032 wmic.exe Token: SeRemoteShutdownPrivilege 1032 wmic.exe Token: SeUndockPrivilege 1032 wmic.exe Token: SeManageVolumePrivilege 1032 wmic.exe Token: 33 1032 wmic.exe Token: 34 1032 wmic.exe Token: 35 1032 wmic.exe Token: 36 1032 wmic.exe Token: SeIncreaseQuotaPrivilege 3472 WMIC.exe Token: SeSecurityPrivilege 3472 WMIC.exe Token: SeTakeOwnershipPrivilege 3472 WMIC.exe Token: SeLoadDriverPrivilege 3472 WMIC.exe Token: SeSystemProfilePrivilege 3472 WMIC.exe Token: SeSystemtimePrivilege 3472 WMIC.exe Token: SeProfSingleProcessPrivilege 3472 WMIC.exe Token: SeIncBasePriorityPrivilege 3472 WMIC.exe Token: SeCreatePagefilePrivilege 3472 WMIC.exe Token: SeBackupPrivilege 3472 WMIC.exe Token: SeRestorePrivilege 3472 WMIC.exe Token: SeShutdownPrivilege 3472 WMIC.exe Token: SeDebugPrivilege 3472 WMIC.exe Token: SeSystemEnvironmentPrivilege 3472 WMIC.exe Token: SeRemoteShutdownPrivilege 3472 WMIC.exe Token: SeUndockPrivilege 3472 WMIC.exe Token: SeManageVolumePrivilege 3472 WMIC.exe Token: 33 3472 WMIC.exe Token: 34 3472 WMIC.exe Token: 35 3472 WMIC.exe Token: 36 3472 WMIC.exe Token: SeIncreaseQuotaPrivilege 3472 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4720 wrote to memory of 504 4720 Tradingview_Plus_cln.exe 83 PID 4720 wrote to memory of 504 4720 Tradingview_Plus_cln.exe 83 PID 504 wrote to memory of 1032 504 sakjdhasdkj.exe 90 PID 504 wrote to memory of 1032 504 sakjdhasdkj.exe 90 PID 504 wrote to memory of 344 504 sakjdhasdkj.exe 92 PID 504 wrote to memory of 344 504 sakjdhasdkj.exe 92 PID 344 wrote to memory of 3472 344 cmd.exe 94 PID 344 wrote to memory of 3472 344 cmd.exe 94 PID 504 wrote to memory of 3252 504 sakjdhasdkj.exe 95 PID 504 wrote to memory of 3252 504 sakjdhasdkj.exe 95 PID 3252 wrote to memory of 4988 3252 cmd.exe 97 PID 3252 wrote to memory of 4988 3252 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe"C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵PID:4988
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD59b6a95488caf9f998ee001cf188d50ca
SHA1bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598
-
Filesize
4.4MB
MD59b6a95488caf9f998ee001cf188d50ca
SHA1bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598