Analysis
-
max time kernel
27s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21/01/2023, 21:18
Behavioral task
behavioral1
Sample
Sеtup.exe
Resource
win7-20221111-en
4 signatures
150 seconds
General
-
Target
Sеtup.exe
-
Size
4.3MB
-
MD5
93475c7eb2830b66c3df41323b5d56ae
-
SHA1
000a633c84615bb4e04605d7716a7fa41e0169f2
-
SHA256
12c0844de2f1ce6a7e0b9ca8f0ff569a3fb817d93e60c719ef8edf3dba363c23
-
SHA512
cb07e4642043b14ae1f9c6825e884412fcd5ef8fc3bd358d5451394af3870007ad8ac6ad314e081a7d209775a29082d2cd369e116456c65d6fa6621aad54ec18
-
SSDEEP
49152:vTgIheW24XJSastfj5NTpGktKDJ3MgmxeKhIAP8ZpGjaAtoJUTbd02F14Nte:vLhe/4XJIFjyhAPIJUiNo
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2024 wmic.exe Token: SeSecurityPrivilege 2024 wmic.exe Token: SeTakeOwnershipPrivilege 2024 wmic.exe Token: SeLoadDriverPrivilege 2024 wmic.exe Token: SeSystemProfilePrivilege 2024 wmic.exe Token: SeSystemtimePrivilege 2024 wmic.exe Token: SeProfSingleProcessPrivilege 2024 wmic.exe Token: SeIncBasePriorityPrivilege 2024 wmic.exe Token: SeCreatePagefilePrivilege 2024 wmic.exe Token: SeBackupPrivilege 2024 wmic.exe Token: SeRestorePrivilege 2024 wmic.exe Token: SeShutdownPrivilege 2024 wmic.exe Token: SeDebugPrivilege 2024 wmic.exe Token: SeSystemEnvironmentPrivilege 2024 wmic.exe Token: SeRemoteShutdownPrivilege 2024 wmic.exe Token: SeUndockPrivilege 2024 wmic.exe Token: SeManageVolumePrivilege 2024 wmic.exe Token: 33 2024 wmic.exe Token: 34 2024 wmic.exe Token: 35 2024 wmic.exe Token: SeIncreaseQuotaPrivilege 2024 wmic.exe Token: SeSecurityPrivilege 2024 wmic.exe Token: SeTakeOwnershipPrivilege 2024 wmic.exe Token: SeLoadDriverPrivilege 2024 wmic.exe Token: SeSystemProfilePrivilege 2024 wmic.exe Token: SeSystemtimePrivilege 2024 wmic.exe Token: SeProfSingleProcessPrivilege 2024 wmic.exe Token: SeIncBasePriorityPrivilege 2024 wmic.exe Token: SeCreatePagefilePrivilege 2024 wmic.exe Token: SeBackupPrivilege 2024 wmic.exe Token: SeRestorePrivilege 2024 wmic.exe Token: SeShutdownPrivilege 2024 wmic.exe Token: SeDebugPrivilege 2024 wmic.exe Token: SeSystemEnvironmentPrivilege 2024 wmic.exe Token: SeRemoteShutdownPrivilege 2024 wmic.exe Token: SeUndockPrivilege 2024 wmic.exe Token: SeManageVolumePrivilege 2024 wmic.exe Token: 33 2024 wmic.exe Token: 34 2024 wmic.exe Token: 35 2024 wmic.exe Token: SeIncreaseQuotaPrivilege 1912 WMIC.exe Token: SeSecurityPrivilege 1912 WMIC.exe Token: SeTakeOwnershipPrivilege 1912 WMIC.exe Token: SeLoadDriverPrivilege 1912 WMIC.exe Token: SeSystemProfilePrivilege 1912 WMIC.exe Token: SeSystemtimePrivilege 1912 WMIC.exe Token: SeProfSingleProcessPrivilege 1912 WMIC.exe Token: SeIncBasePriorityPrivilege 1912 WMIC.exe Token: SeCreatePagefilePrivilege 1912 WMIC.exe Token: SeBackupPrivilege 1912 WMIC.exe Token: SeRestorePrivilege 1912 WMIC.exe Token: SeShutdownPrivilege 1912 WMIC.exe Token: SeDebugPrivilege 1912 WMIC.exe Token: SeSystemEnvironmentPrivilege 1912 WMIC.exe Token: SeRemoteShutdownPrivilege 1912 WMIC.exe Token: SeUndockPrivilege 1912 WMIC.exe Token: SeManageVolumePrivilege 1912 WMIC.exe Token: 33 1912 WMIC.exe Token: 34 1912 WMIC.exe Token: 35 1912 WMIC.exe Token: SeIncreaseQuotaPrivilege 1912 WMIC.exe Token: SeSecurityPrivilege 1912 WMIC.exe Token: SeTakeOwnershipPrivilege 1912 WMIC.exe Token: SeLoadDriverPrivilege 1912 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 840 wrote to memory of 2024 840 Sеtup.exe 28 PID 840 wrote to memory of 2024 840 Sеtup.exe 28 PID 840 wrote to memory of 2024 840 Sеtup.exe 28 PID 840 wrote to memory of 2024 840 Sеtup.exe 28 PID 840 wrote to memory of 1008 840 Sеtup.exe 31 PID 840 wrote to memory of 1008 840 Sеtup.exe 31 PID 840 wrote to memory of 1008 840 Sеtup.exe 31 PID 840 wrote to memory of 1008 840 Sеtup.exe 31 PID 1008 wrote to memory of 1912 1008 cmd.exe 33 PID 1008 wrote to memory of 1912 1008 cmd.exe 33 PID 1008 wrote to memory of 1912 1008 cmd.exe 33 PID 1008 wrote to memory of 1912 1008 cmd.exe 33 PID 840 wrote to memory of 336 840 Sеtup.exe 34 PID 840 wrote to memory of 336 840 Sеtup.exe 34 PID 840 wrote to memory of 336 840 Sеtup.exe 34 PID 840 wrote to memory of 336 840 Sеtup.exe 34 PID 336 wrote to memory of 624 336 cmd.exe 36 PID 336 wrote to memory of 624 336 cmd.exe 36 PID 336 wrote to memory of 624 336 cmd.exe 36 PID 336 wrote to memory of 624 336 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sеtup.exe"C:\Users\Admin\AppData\Local\Temp\Sеtup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:624
-
-