Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2023, 21:18
Behavioral task
behavioral1
Sample
Sеtup.exe
Resource
win7-20221111-en
4 signatures
150 seconds
General
-
Target
Sеtup.exe
-
Size
4.3MB
-
MD5
93475c7eb2830b66c3df41323b5d56ae
-
SHA1
000a633c84615bb4e04605d7716a7fa41e0169f2
-
SHA256
12c0844de2f1ce6a7e0b9ca8f0ff569a3fb817d93e60c719ef8edf3dba363c23
-
SHA512
cb07e4642043b14ae1f9c6825e884412fcd5ef8fc3bd358d5451394af3870007ad8ac6ad314e081a7d209775a29082d2cd369e116456c65d6fa6621aad54ec18
-
SSDEEP
49152:vTgIheW24XJSastfj5NTpGktKDJ3MgmxeKhIAP8ZpGjaAtoJUTbd02F14Nte:vLhe/4XJIFjyhAPIJUiNo
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 32 wmic.exe Token: SeSecurityPrivilege 32 wmic.exe Token: SeTakeOwnershipPrivilege 32 wmic.exe Token: SeLoadDriverPrivilege 32 wmic.exe Token: SeSystemProfilePrivilege 32 wmic.exe Token: SeSystemtimePrivilege 32 wmic.exe Token: SeProfSingleProcessPrivilege 32 wmic.exe Token: SeIncBasePriorityPrivilege 32 wmic.exe Token: SeCreatePagefilePrivilege 32 wmic.exe Token: SeBackupPrivilege 32 wmic.exe Token: SeRestorePrivilege 32 wmic.exe Token: SeShutdownPrivilege 32 wmic.exe Token: SeDebugPrivilege 32 wmic.exe Token: SeSystemEnvironmentPrivilege 32 wmic.exe Token: SeRemoteShutdownPrivilege 32 wmic.exe Token: SeUndockPrivilege 32 wmic.exe Token: SeManageVolumePrivilege 32 wmic.exe Token: 33 32 wmic.exe Token: 34 32 wmic.exe Token: 35 32 wmic.exe Token: 36 32 wmic.exe Token: SeIncreaseQuotaPrivilege 32 wmic.exe Token: SeSecurityPrivilege 32 wmic.exe Token: SeTakeOwnershipPrivilege 32 wmic.exe Token: SeLoadDriverPrivilege 32 wmic.exe Token: SeSystemProfilePrivilege 32 wmic.exe Token: SeSystemtimePrivilege 32 wmic.exe Token: SeProfSingleProcessPrivilege 32 wmic.exe Token: SeIncBasePriorityPrivilege 32 wmic.exe Token: SeCreatePagefilePrivilege 32 wmic.exe Token: SeBackupPrivilege 32 wmic.exe Token: SeRestorePrivilege 32 wmic.exe Token: SeShutdownPrivilege 32 wmic.exe Token: SeDebugPrivilege 32 wmic.exe Token: SeSystemEnvironmentPrivilege 32 wmic.exe Token: SeRemoteShutdownPrivilege 32 wmic.exe Token: SeUndockPrivilege 32 wmic.exe Token: SeManageVolumePrivilege 32 wmic.exe Token: 33 32 wmic.exe Token: 34 32 wmic.exe Token: 35 32 wmic.exe Token: 36 32 wmic.exe Token: SeIncreaseQuotaPrivilege 2616 WMIC.exe Token: SeSecurityPrivilege 2616 WMIC.exe Token: SeTakeOwnershipPrivilege 2616 WMIC.exe Token: SeLoadDriverPrivilege 2616 WMIC.exe Token: SeSystemProfilePrivilege 2616 WMIC.exe Token: SeSystemtimePrivilege 2616 WMIC.exe Token: SeProfSingleProcessPrivilege 2616 WMIC.exe Token: SeIncBasePriorityPrivilege 2616 WMIC.exe Token: SeCreatePagefilePrivilege 2616 WMIC.exe Token: SeBackupPrivilege 2616 WMIC.exe Token: SeRestorePrivilege 2616 WMIC.exe Token: SeShutdownPrivilege 2616 WMIC.exe Token: SeDebugPrivilege 2616 WMIC.exe Token: SeSystemEnvironmentPrivilege 2616 WMIC.exe Token: SeRemoteShutdownPrivilege 2616 WMIC.exe Token: SeUndockPrivilege 2616 WMIC.exe Token: SeManageVolumePrivilege 2616 WMIC.exe Token: 33 2616 WMIC.exe Token: 34 2616 WMIC.exe Token: 35 2616 WMIC.exe Token: 36 2616 WMIC.exe Token: SeIncreaseQuotaPrivilege 2616 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4964 wrote to memory of 32 4964 Sеtup.exe 84 PID 4964 wrote to memory of 32 4964 Sеtup.exe 84 PID 4964 wrote to memory of 32 4964 Sеtup.exe 84 PID 4964 wrote to memory of 4724 4964 Sеtup.exe 87 PID 4964 wrote to memory of 4724 4964 Sеtup.exe 87 PID 4964 wrote to memory of 4724 4964 Sеtup.exe 87 PID 4724 wrote to memory of 2616 4724 cmd.exe 89 PID 4724 wrote to memory of 2616 4724 cmd.exe 89 PID 4724 wrote to memory of 2616 4724 cmd.exe 89 PID 4964 wrote to memory of 4324 4964 Sеtup.exe 90 PID 4964 wrote to memory of 4324 4964 Sеtup.exe 90 PID 4964 wrote to memory of 4324 4964 Sеtup.exe 90 PID 4324 wrote to memory of 4920 4324 cmd.exe 92 PID 4324 wrote to memory of 4920 4324 cmd.exe 92 PID 4324 wrote to memory of 4920 4324 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sеtup.exe"C:\Users\Admin\AppData\Local\Temp\Sеtup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:32
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:4920
-
-