Resubmissions

21-02-2023 00:08

230221-aezqqseh4y 10

21-02-2023 00:03

230221-acbk5aeh3x 10

Analysis

  • max time kernel
    1435s
  • max time network
    1225s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-02-2023 00:08

General

  • Target

    14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe

  • Size

    4.4MB

  • MD5

    15ae1218c1c773497a6a5e6db8d11922

  • SHA1

    8596dbd6e5e7dfdfbacd04051d192dd597d72b67

  • SHA256

    14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf

  • SHA512

    57c417052ace7f7e1b4c60da0549e733e6e1bcc35c3c952a0595501248ef25a801e71148d55334aeb38c57a9ecb851476f7c34fab86ee00d319e95ac79f4c45b

  • SSDEEP

    49152:yb9BphIVBmo8cBBThHHCrmYVzZLbdIo0MaN5EyKktGH5R7of01N:ipCmo/CrmyVYEqGZR7n

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
    "C:\Users\Admin\AppData\Local\Temp\14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\system32\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
    • C:\Windows\system32\cmd.exe
      cmd /C "wmic cpu get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic cpu get name
        3⤵
          PID:4428
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\lHIhcy06tW.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4792

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

      Filesize

      2KB

      MD5

      dd7a4110e2dc0760efdd47ee918c0deb

      SHA1

      5ed5efe128e521023e0caf4fff9af747522c8166

      SHA256

      550ad8794d9ec26bc7e09225cb1cbe648ee7c1c2349aabec8172f08bdec26084

      SHA512

      c928725e5f010d371727aadcc057da91378a0b24c66b2848217e9186dd319b6bf09c0859d7bf523ff1736fc41591eb25662a900fbe3977b63132a0c40dcd35dc

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgf2qjoc.lhm.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\lHIhcy06tW.exe

      Filesize

      12KB

      MD5

      d36bfec56984a76bc563fd765cf01c86

      SHA1

      4e888faa701be3033f355e690a2f404d233fbae8

      SHA256

      a1aa99a63129686905567fa3fa996f479973e5dc63937d871bdae44a46cb704f

      SHA512

      7cecc6e3f61f06c284dd9f34178c18b9b70fdb65117773c9b3277af3a79898007492f634effe3e89cadad89598c62f4932e4f0a8d65f83df6b7a16fc5d20eee8

    • C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

      Filesize

      71KB

      MD5

      dc2b0f48d8f547d5ff7d67b371d850f0

      SHA1

      84d02ddbf478bf7cfe9ccb466362860ee18b3839

      SHA256

      0434c46910f48821a0a442b510260a3faea9404d7e6a8edd2cf44cc7dfea3890

      SHA512

      3470ae3db7053a7e606a221f97f8cadf58500a746daaa4c763d714fe99df026d1c7858aaaf6d34ec1bbaa5305f8eead00101b6a7ac6f4d457425d04bcf92e8d7

    • memory/4792-188-0x0000022AB3DE0000-0x0000022AB3DF0000-memory.dmp

      Filesize

      64KB

    • memory/4792-189-0x0000022AB3D90000-0x0000022AB3DB2000-memory.dmp

      Filesize

      136KB

    • memory/4792-200-0x0000022AB3DE0000-0x0000022AB3DF0000-memory.dmp

      Filesize

      64KB