Analysis
-
max time kernel
176s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2023 21:06
Behavioral task
behavioral1
Sample
50d48404f9b93a16c69aed2e6c585192.exe
Resource
win7-20221111-en
windows7-x64
4 signatures
150 seconds
General
-
Target
50d48404f9b93a16c69aed2e6c585192.exe
-
Size
3.0MB
-
MD5
50d48404f9b93a16c69aed2e6c585192
-
SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c
-
SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
-
SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
SSDEEP
49152:Eer33gFd4ujF1gD2hJAUIaEsLFA8uJp5vk1b:d04yhDTLO8uE
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1616 wmic.exe Token: SeSecurityPrivilege 1616 wmic.exe Token: SeTakeOwnershipPrivilege 1616 wmic.exe Token: SeLoadDriverPrivilege 1616 wmic.exe Token: SeSystemProfilePrivilege 1616 wmic.exe Token: SeSystemtimePrivilege 1616 wmic.exe Token: SeProfSingleProcessPrivilege 1616 wmic.exe Token: SeIncBasePriorityPrivilege 1616 wmic.exe Token: SeCreatePagefilePrivilege 1616 wmic.exe Token: SeBackupPrivilege 1616 wmic.exe Token: SeRestorePrivilege 1616 wmic.exe Token: SeShutdownPrivilege 1616 wmic.exe Token: SeDebugPrivilege 1616 wmic.exe Token: SeSystemEnvironmentPrivilege 1616 wmic.exe Token: SeRemoteShutdownPrivilege 1616 wmic.exe Token: SeUndockPrivilege 1616 wmic.exe Token: SeManageVolumePrivilege 1616 wmic.exe Token: 33 1616 wmic.exe Token: 34 1616 wmic.exe Token: 35 1616 wmic.exe Token: 36 1616 wmic.exe Token: SeIncreaseQuotaPrivilege 1616 wmic.exe Token: SeSecurityPrivilege 1616 wmic.exe Token: SeTakeOwnershipPrivilege 1616 wmic.exe Token: SeLoadDriverPrivilege 1616 wmic.exe Token: SeSystemProfilePrivilege 1616 wmic.exe Token: SeSystemtimePrivilege 1616 wmic.exe Token: SeProfSingleProcessPrivilege 1616 wmic.exe Token: SeIncBasePriorityPrivilege 1616 wmic.exe Token: SeCreatePagefilePrivilege 1616 wmic.exe Token: SeBackupPrivilege 1616 wmic.exe Token: SeRestorePrivilege 1616 wmic.exe Token: SeShutdownPrivilege 1616 wmic.exe Token: SeDebugPrivilege 1616 wmic.exe Token: SeSystemEnvironmentPrivilege 1616 wmic.exe Token: SeRemoteShutdownPrivilege 1616 wmic.exe Token: SeUndockPrivilege 1616 wmic.exe Token: SeManageVolumePrivilege 1616 wmic.exe Token: 33 1616 wmic.exe Token: 34 1616 wmic.exe Token: 35 1616 wmic.exe Token: 36 1616 wmic.exe Token: SeIncreaseQuotaPrivilege 3760 WMIC.exe Token: SeSecurityPrivilege 3760 WMIC.exe Token: SeTakeOwnershipPrivilege 3760 WMIC.exe Token: SeLoadDriverPrivilege 3760 WMIC.exe Token: SeSystemProfilePrivilege 3760 WMIC.exe Token: SeSystemtimePrivilege 3760 WMIC.exe Token: SeProfSingleProcessPrivilege 3760 WMIC.exe Token: SeIncBasePriorityPrivilege 3760 WMIC.exe Token: SeCreatePagefilePrivilege 3760 WMIC.exe Token: SeBackupPrivilege 3760 WMIC.exe Token: SeRestorePrivilege 3760 WMIC.exe Token: SeShutdownPrivilege 3760 WMIC.exe Token: SeDebugPrivilege 3760 WMIC.exe Token: SeSystemEnvironmentPrivilege 3760 WMIC.exe Token: SeRemoteShutdownPrivilege 3760 WMIC.exe Token: SeUndockPrivilege 3760 WMIC.exe Token: SeManageVolumePrivilege 3760 WMIC.exe Token: 33 3760 WMIC.exe Token: 34 3760 WMIC.exe Token: 35 3760 WMIC.exe Token: 36 3760 WMIC.exe Token: SeIncreaseQuotaPrivilege 3760 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
50d48404f9b93a16c69aed2e6c585192.execmd.execmd.exedescription pid process target process PID 856 wrote to memory of 1616 856 50d48404f9b93a16c69aed2e6c585192.exe wmic.exe PID 856 wrote to memory of 1616 856 50d48404f9b93a16c69aed2e6c585192.exe wmic.exe PID 856 wrote to memory of 1780 856 50d48404f9b93a16c69aed2e6c585192.exe cmd.exe PID 856 wrote to memory of 1780 856 50d48404f9b93a16c69aed2e6c585192.exe cmd.exe PID 1780 wrote to memory of 3760 1780 cmd.exe WMIC.exe PID 1780 wrote to memory of 3760 1780 cmd.exe WMIC.exe PID 856 wrote to memory of 3388 856 50d48404f9b93a16c69aed2e6c585192.exe cmd.exe PID 856 wrote to memory of 3388 856 50d48404f9b93a16c69aed2e6c585192.exe cmd.exe PID 3388 wrote to memory of 2520 3388 cmd.exe WMIC.exe PID 3388 wrote to memory of 2520 3388 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\50d48404f9b93a16c69aed2e6c585192.exe"C:\Users\Admin\AppData\Local\Temp\50d48404f9b93a16c69aed2e6c585192.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵