Analysis
-
max time kernel
37s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22/01/2023, 18:16
Behavioral task
behavioral1
Sample
Setup x64/Setup x64.exe
Resource
win7-20220812-en
4 signatures
150 seconds
General
-
Target
Setup x64/Setup x64.exe
-
Size
4.5MB
-
MD5
8f79ed747dc49babc02dd4c681a0b9f1
-
SHA1
c6e186d5de372fb123859aa0211480420fd89f43
-
SHA256
0c3df6f52bb54a38255494cf2727e49bad06d1512d8a0e59b3589b6023baad18
-
SHA512
ad651b4d26ad48bbb6ad6eadcb73287c530c3e6f9159b4f24f53351a0396cfa3183afd9751cf36404ed8bf3f20c9581c1fcc02938a0335d4e85e557b004121b8
-
SSDEEP
49152:5T9uyFnTWwIEAxh36MlzT1yJuH0Ogvm6raE5EAvJtGH5RDHp01B:myFhIJlzT1YrEKGZRDC
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2036 wmic.exe Token: SeSecurityPrivilege 2036 wmic.exe Token: SeTakeOwnershipPrivilege 2036 wmic.exe Token: SeLoadDriverPrivilege 2036 wmic.exe Token: SeSystemProfilePrivilege 2036 wmic.exe Token: SeSystemtimePrivilege 2036 wmic.exe Token: SeProfSingleProcessPrivilege 2036 wmic.exe Token: SeIncBasePriorityPrivilege 2036 wmic.exe Token: SeCreatePagefilePrivilege 2036 wmic.exe Token: SeBackupPrivilege 2036 wmic.exe Token: SeRestorePrivilege 2036 wmic.exe Token: SeShutdownPrivilege 2036 wmic.exe Token: SeDebugPrivilege 2036 wmic.exe Token: SeSystemEnvironmentPrivilege 2036 wmic.exe Token: SeRemoteShutdownPrivilege 2036 wmic.exe Token: SeUndockPrivilege 2036 wmic.exe Token: SeManageVolumePrivilege 2036 wmic.exe Token: 33 2036 wmic.exe Token: 34 2036 wmic.exe Token: 35 2036 wmic.exe Token: SeIncreaseQuotaPrivilege 2036 wmic.exe Token: SeSecurityPrivilege 2036 wmic.exe Token: SeTakeOwnershipPrivilege 2036 wmic.exe Token: SeLoadDriverPrivilege 2036 wmic.exe Token: SeSystemProfilePrivilege 2036 wmic.exe Token: SeSystemtimePrivilege 2036 wmic.exe Token: SeProfSingleProcessPrivilege 2036 wmic.exe Token: SeIncBasePriorityPrivilege 2036 wmic.exe Token: SeCreatePagefilePrivilege 2036 wmic.exe Token: SeBackupPrivilege 2036 wmic.exe Token: SeRestorePrivilege 2036 wmic.exe Token: SeShutdownPrivilege 2036 wmic.exe Token: SeDebugPrivilege 2036 wmic.exe Token: SeSystemEnvironmentPrivilege 2036 wmic.exe Token: SeRemoteShutdownPrivilege 2036 wmic.exe Token: SeUndockPrivilege 2036 wmic.exe Token: SeManageVolumePrivilege 2036 wmic.exe Token: 33 2036 wmic.exe Token: 34 2036 wmic.exe Token: 35 2036 wmic.exe Token: SeIncreaseQuotaPrivilege 1804 WMIC.exe Token: SeSecurityPrivilege 1804 WMIC.exe Token: SeTakeOwnershipPrivilege 1804 WMIC.exe Token: SeLoadDriverPrivilege 1804 WMIC.exe Token: SeSystemProfilePrivilege 1804 WMIC.exe Token: SeSystemtimePrivilege 1804 WMIC.exe Token: SeProfSingleProcessPrivilege 1804 WMIC.exe Token: SeIncBasePriorityPrivilege 1804 WMIC.exe Token: SeCreatePagefilePrivilege 1804 WMIC.exe Token: SeBackupPrivilege 1804 WMIC.exe Token: SeRestorePrivilege 1804 WMIC.exe Token: SeShutdownPrivilege 1804 WMIC.exe Token: SeDebugPrivilege 1804 WMIC.exe Token: SeSystemEnvironmentPrivilege 1804 WMIC.exe Token: SeRemoteShutdownPrivilege 1804 WMIC.exe Token: SeUndockPrivilege 1804 WMIC.exe Token: SeManageVolumePrivilege 1804 WMIC.exe Token: 33 1804 WMIC.exe Token: 34 1804 WMIC.exe Token: 35 1804 WMIC.exe Token: SeIncreaseQuotaPrivilege 1804 WMIC.exe Token: SeSecurityPrivilege 1804 WMIC.exe Token: SeTakeOwnershipPrivilege 1804 WMIC.exe Token: SeLoadDriverPrivilege 1804 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1516 wrote to memory of 2036 1516 Setup x64.exe 27 PID 1516 wrote to memory of 2036 1516 Setup x64.exe 27 PID 1516 wrote to memory of 2036 1516 Setup x64.exe 27 PID 1516 wrote to memory of 536 1516 Setup x64.exe 30 PID 1516 wrote to memory of 536 1516 Setup x64.exe 30 PID 1516 wrote to memory of 536 1516 Setup x64.exe 30 PID 536 wrote to memory of 1804 536 cmd.exe 32 PID 536 wrote to memory of 1804 536 cmd.exe 32 PID 536 wrote to memory of 1804 536 cmd.exe 32 PID 1516 wrote to memory of 1856 1516 Setup x64.exe 33 PID 1516 wrote to memory of 1856 1516 Setup x64.exe 33 PID 1516 wrote to memory of 1856 1516 Setup x64.exe 33 PID 1856 wrote to memory of 1476 1856 cmd.exe 35 PID 1856 wrote to memory of 1476 1856 cmd.exe 35 PID 1856 wrote to memory of 1476 1856 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup x64\Setup x64.exe"C:\Users\Admin\AppData\Local\Temp\Setup x64\Setup x64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:1476
-
-