Analysis
-
max time kernel
72s -
max time network
177s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
24-02-2023 22:17
Behavioral task
behavioral1
Sample
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
Resource
win7-20230220-en
General
-
Target
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
-
Size
3.0MB
-
MD5
af4268c094f2a9c6e6a85f8626b9a5c7
-
SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395
-
SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
-
SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
SSDEEP
49152:y2sQ8R/u6S/gPV4PW/vlLr8EdiITRf+EGg7dH1zaSo5hTk6k1qFG:yfQM/fSoPFNLQg1WT5Q
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1948 wmic.exe Token: SeSecurityPrivilege 1948 wmic.exe Token: SeTakeOwnershipPrivilege 1948 wmic.exe Token: SeLoadDriverPrivilege 1948 wmic.exe Token: SeSystemProfilePrivilege 1948 wmic.exe Token: SeSystemtimePrivilege 1948 wmic.exe Token: SeProfSingleProcessPrivilege 1948 wmic.exe Token: SeIncBasePriorityPrivilege 1948 wmic.exe Token: SeCreatePagefilePrivilege 1948 wmic.exe Token: SeBackupPrivilege 1948 wmic.exe Token: SeRestorePrivilege 1948 wmic.exe Token: SeShutdownPrivilege 1948 wmic.exe Token: SeDebugPrivilege 1948 wmic.exe Token: SeSystemEnvironmentPrivilege 1948 wmic.exe Token: SeRemoteShutdownPrivilege 1948 wmic.exe Token: SeUndockPrivilege 1948 wmic.exe Token: SeManageVolumePrivilege 1948 wmic.exe Token: 33 1948 wmic.exe Token: 34 1948 wmic.exe Token: 35 1948 wmic.exe Token: 36 1948 wmic.exe Token: SeIncreaseQuotaPrivilege 1948 wmic.exe Token: SeSecurityPrivilege 1948 wmic.exe Token: SeTakeOwnershipPrivilege 1948 wmic.exe Token: SeLoadDriverPrivilege 1948 wmic.exe Token: SeSystemProfilePrivilege 1948 wmic.exe Token: SeSystemtimePrivilege 1948 wmic.exe Token: SeProfSingleProcessPrivilege 1948 wmic.exe Token: SeIncBasePriorityPrivilege 1948 wmic.exe Token: SeCreatePagefilePrivilege 1948 wmic.exe Token: SeBackupPrivilege 1948 wmic.exe Token: SeRestorePrivilege 1948 wmic.exe Token: SeShutdownPrivilege 1948 wmic.exe Token: SeDebugPrivilege 1948 wmic.exe Token: SeSystemEnvironmentPrivilege 1948 wmic.exe Token: SeRemoteShutdownPrivilege 1948 wmic.exe Token: SeUndockPrivilege 1948 wmic.exe Token: SeManageVolumePrivilege 1948 wmic.exe Token: 33 1948 wmic.exe Token: 34 1948 wmic.exe Token: 35 1948 wmic.exe Token: 36 1948 wmic.exe Token: SeIncreaseQuotaPrivilege 3772 WMIC.exe Token: SeSecurityPrivilege 3772 WMIC.exe Token: SeTakeOwnershipPrivilege 3772 WMIC.exe Token: SeLoadDriverPrivilege 3772 WMIC.exe Token: SeSystemProfilePrivilege 3772 WMIC.exe Token: SeSystemtimePrivilege 3772 WMIC.exe Token: SeProfSingleProcessPrivilege 3772 WMIC.exe Token: SeIncBasePriorityPrivilege 3772 WMIC.exe Token: SeCreatePagefilePrivilege 3772 WMIC.exe Token: SeBackupPrivilege 3772 WMIC.exe Token: SeRestorePrivilege 3772 WMIC.exe Token: SeShutdownPrivilege 3772 WMIC.exe Token: SeDebugPrivilege 3772 WMIC.exe Token: SeSystemEnvironmentPrivilege 3772 WMIC.exe Token: SeRemoteShutdownPrivilege 3772 WMIC.exe Token: SeUndockPrivilege 3772 WMIC.exe Token: SeManageVolumePrivilege 3772 WMIC.exe Token: 33 3772 WMIC.exe Token: 34 3772 WMIC.exe Token: 35 3772 WMIC.exe Token: 36 3772 WMIC.exe Token: SeIncreaseQuotaPrivilege 3772 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.execmd.execmd.exedescription pid process target process PID 3160 wrote to memory of 1948 3160 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 3160 wrote to memory of 1948 3160 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 3160 wrote to memory of 1948 3160 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 3160 wrote to memory of 2132 3160 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 3160 wrote to memory of 2132 3160 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 3160 wrote to memory of 2132 3160 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 2132 wrote to memory of 3772 2132 cmd.exe WMIC.exe PID 2132 wrote to memory of 3772 2132 cmd.exe WMIC.exe PID 2132 wrote to memory of 3772 2132 cmd.exe WMIC.exe PID 3160 wrote to memory of 1720 3160 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 3160 wrote to memory of 1720 3160 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 3160 wrote to memory of 1720 3160 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1720 wrote to memory of 4656 1720 cmd.exe WMIC.exe PID 1720 wrote to memory of 4656 1720 cmd.exe WMIC.exe PID 1720 wrote to memory of 4656 1720 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3772 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:4656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD5a3eb5f22bc8e7f4060e3ff18c4ac70b9
SHA18480869a34c9723063dba9cc8279cf4e7c2bc4cd
SHA2560582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6
SHA5123e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0