Resubmissions

21-02-2023 00:08

230221-aezqqseh4y 10

21-02-2023 00:03

230221-acbk5aeh3x 10

Analysis

  • max time kernel
    1636s
  • max time network
    1640s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21-02-2023 00:08

General

  • Target

    14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe

  • Size

    4.4MB

  • MD5

    15ae1218c1c773497a6a5e6db8d11922

  • SHA1

    8596dbd6e5e7dfdfbacd04051d192dd597d72b67

  • SHA256

    14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf

  • SHA512

    57c417052ace7f7e1b4c60da0549e733e6e1bcc35c3c952a0595501248ef25a801e71148d55334aeb38c57a9ecb851476f7c34fab86ee00d319e95ac79f4c45b

  • SSDEEP

    49152:yb9BphIVBmo8cBBThHHCrmYVzZLbdIo0MaN5EyKktGH5R7of01N:ipCmo/CrmyVYEqGZR7n

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
    "C:\Users\Admin\AppData\Local\Temp\14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1484
    • C:\Windows\system32\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1824
    • C:\Windows\system32\cmd.exe
      cmd /C "wmic cpu get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic cpu get name
        3⤵
          PID:1332
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\tyS7kkV7vI.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:996

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      c68aca2c2efebc12c3a1b100711be5d9

      SHA1

      b6212c64a7aff5b40a7a53d674b2928205751979

      SHA256

      1668eeea853d58f0f166637989d980cdf4ab50248538af2b00df9083bf74ee7b

      SHA512

      2442e9fa4315af8623271d19a5b69136e67df755c31a6bcae50df7da62f8d586c1f09457ce4643d0366a07470b7e75b63eec3776966517fe71a4336b692d0213

    • C:\Users\Admin\AppData\Local\Temp\Cab1A57.tmp

      Filesize

      60KB

      MD5

      589c442fc7a0c70dca927115a700d41e

      SHA1

      66a07dace3afbfd1aa07a47e6875beab62c4bb31

      SHA256

      2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

      SHA512

      1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

    • C:\Users\Admin\AppData\Local\Temp\Tar1BC5.tmp

      Filesize

      161KB

      MD5

      73b4b714b42fc9a6aaefd0ae59adb009

      SHA1

      efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

      SHA256

      c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

      SHA512

      73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

    • C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

      Filesize

      88KB

      MD5

      88c971b16c7bf7eae7d747c058abb4b6

      SHA1

      e305dd617f84b14a09a8a1b94586503decf9fa61

      SHA256

      bd9a15d1d01ff83f3df71f6b715fc36fb9a51f4c9f79765ba6932f0a6f03e06d

      SHA512

      f86835b8a9007fd0c0a6a75a835c8b494afae3eb3ece852f146535f6e6b8a61bb013e9f4ac13be1a2581115962d2bc6b47a65ba5e2e06fb067540a61e88df9ac

    • C:\Users\Admin\AppData\Local\Temp\tyS7kkV7vI.exe

      Filesize

      12KB

      MD5

      45c4c4d2736b14b8de6c9e2b84fd6754

      SHA1

      e7351a73a73bdcd05ca5e4bac17f8413e027bc80

      SHA256

      94e01c41d4b6c9b8c455b8b06f76f00855d76567f4fd33e332810b0c6a956fa4

      SHA512

      c9fdb6b80efea14400b04f49ca12726c6d99028bd6621cba073e7e61b575da09ba4f7dba3c0b38f03261a1ec38ba3d0a686bd063ccb7aa57b7f9b213a771768d

    • memory/996-156-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

      Filesize

      2.9MB

    • memory/996-157-0x0000000001F40000-0x0000000001F48000-memory.dmp

      Filesize

      32KB

    • memory/996-160-0x0000000002780000-0x0000000002800000-memory.dmp

      Filesize

      512KB

    • memory/996-159-0x0000000002780000-0x0000000002800000-memory.dmp

      Filesize

      512KB

    • memory/996-161-0x0000000002780000-0x0000000002800000-memory.dmp

      Filesize

      512KB

    • memory/996-162-0x0000000002780000-0x0000000002800000-memory.dmp

      Filesize

      512KB