Analysis
-
max time kernel
78s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2023, 18:16
Behavioral task
behavioral1
Sample
Setup x64/Setup x64.exe
Resource
win7-20220812-en
4 signatures
150 seconds
General
-
Target
Setup x64/Setup x64.exe
-
Size
4.5MB
-
MD5
8f79ed747dc49babc02dd4c681a0b9f1
-
SHA1
c6e186d5de372fb123859aa0211480420fd89f43
-
SHA256
0c3df6f52bb54a38255494cf2727e49bad06d1512d8a0e59b3589b6023baad18
-
SHA512
ad651b4d26ad48bbb6ad6eadcb73287c530c3e6f9159b4f24f53351a0396cfa3183afd9751cf36404ed8bf3f20c9581c1fcc02938a0335d4e85e557b004121b8
-
SSDEEP
49152:5T9uyFnTWwIEAxh36MlzT1yJuH0Ogvm6raE5EAvJtGH5RDHp01B:myFhIJlzT1YrEKGZRDC
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5012 wmic.exe Token: SeSecurityPrivilege 5012 wmic.exe Token: SeTakeOwnershipPrivilege 5012 wmic.exe Token: SeLoadDriverPrivilege 5012 wmic.exe Token: SeSystemProfilePrivilege 5012 wmic.exe Token: SeSystemtimePrivilege 5012 wmic.exe Token: SeProfSingleProcessPrivilege 5012 wmic.exe Token: SeIncBasePriorityPrivilege 5012 wmic.exe Token: SeCreatePagefilePrivilege 5012 wmic.exe Token: SeBackupPrivilege 5012 wmic.exe Token: SeRestorePrivilege 5012 wmic.exe Token: SeShutdownPrivilege 5012 wmic.exe Token: SeDebugPrivilege 5012 wmic.exe Token: SeSystemEnvironmentPrivilege 5012 wmic.exe Token: SeRemoteShutdownPrivilege 5012 wmic.exe Token: SeUndockPrivilege 5012 wmic.exe Token: SeManageVolumePrivilege 5012 wmic.exe Token: 33 5012 wmic.exe Token: 34 5012 wmic.exe Token: 35 5012 wmic.exe Token: 36 5012 wmic.exe Token: SeIncreaseQuotaPrivilege 5012 wmic.exe Token: SeSecurityPrivilege 5012 wmic.exe Token: SeTakeOwnershipPrivilege 5012 wmic.exe Token: SeLoadDriverPrivilege 5012 wmic.exe Token: SeSystemProfilePrivilege 5012 wmic.exe Token: SeSystemtimePrivilege 5012 wmic.exe Token: SeProfSingleProcessPrivilege 5012 wmic.exe Token: SeIncBasePriorityPrivilege 5012 wmic.exe Token: SeCreatePagefilePrivilege 5012 wmic.exe Token: SeBackupPrivilege 5012 wmic.exe Token: SeRestorePrivilege 5012 wmic.exe Token: SeShutdownPrivilege 5012 wmic.exe Token: SeDebugPrivilege 5012 wmic.exe Token: SeSystemEnvironmentPrivilege 5012 wmic.exe Token: SeRemoteShutdownPrivilege 5012 wmic.exe Token: SeUndockPrivilege 5012 wmic.exe Token: SeManageVolumePrivilege 5012 wmic.exe Token: 33 5012 wmic.exe Token: 34 5012 wmic.exe Token: 35 5012 wmic.exe Token: 36 5012 wmic.exe Token: SeIncreaseQuotaPrivilege 4152 WMIC.exe Token: SeSecurityPrivilege 4152 WMIC.exe Token: SeTakeOwnershipPrivilege 4152 WMIC.exe Token: SeLoadDriverPrivilege 4152 WMIC.exe Token: SeSystemProfilePrivilege 4152 WMIC.exe Token: SeSystemtimePrivilege 4152 WMIC.exe Token: SeProfSingleProcessPrivilege 4152 WMIC.exe Token: SeIncBasePriorityPrivilege 4152 WMIC.exe Token: SeCreatePagefilePrivilege 4152 WMIC.exe Token: SeBackupPrivilege 4152 WMIC.exe Token: SeRestorePrivilege 4152 WMIC.exe Token: SeShutdownPrivilege 4152 WMIC.exe Token: SeDebugPrivilege 4152 WMIC.exe Token: SeSystemEnvironmentPrivilege 4152 WMIC.exe Token: SeRemoteShutdownPrivilege 4152 WMIC.exe Token: SeUndockPrivilege 4152 WMIC.exe Token: SeManageVolumePrivilege 4152 WMIC.exe Token: 33 4152 WMIC.exe Token: 34 4152 WMIC.exe Token: 35 4152 WMIC.exe Token: 36 4152 WMIC.exe Token: SeIncreaseQuotaPrivilege 4152 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4728 wrote to memory of 5012 4728 Setup x64.exe 81 PID 4728 wrote to memory of 5012 4728 Setup x64.exe 81 PID 4728 wrote to memory of 4832 4728 Setup x64.exe 83 PID 4728 wrote to memory of 4832 4728 Setup x64.exe 83 PID 4832 wrote to memory of 4152 4832 cmd.exe 85 PID 4832 wrote to memory of 4152 4832 cmd.exe 85 PID 4728 wrote to memory of 1208 4728 Setup x64.exe 86 PID 4728 wrote to memory of 1208 4728 Setup x64.exe 86 PID 1208 wrote to memory of 1096 1208 cmd.exe 88 PID 1208 wrote to memory of 1096 1208 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup x64\Setup x64.exe"C:\Users\Admin\AppData\Local\Temp\Setup x64\Setup x64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:1096
-
-