Analysis
-
max time kernel
209s -
max time network
213s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-02-2023 04:47
Behavioral task
behavioral1
Sample
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
Resource
win7-20230220-en
General
-
Target
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
-
Size
3.0MB
-
MD5
af4268c094f2a9c6e6a85f8626b9a5c7
-
SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395
-
SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
-
SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
SSDEEP
49152:y2sQ8R/u6S/gPV4PW/vlLr8EdiITRf+EGg7dH1zaSo5hTk6k1qFG:yfQM/fSoPFNLQg1WT5Q
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1112 wmic.exe Token: SeSecurityPrivilege 1112 wmic.exe Token: SeTakeOwnershipPrivilege 1112 wmic.exe Token: SeLoadDriverPrivilege 1112 wmic.exe Token: SeSystemProfilePrivilege 1112 wmic.exe Token: SeSystemtimePrivilege 1112 wmic.exe Token: SeProfSingleProcessPrivilege 1112 wmic.exe Token: SeIncBasePriorityPrivilege 1112 wmic.exe Token: SeCreatePagefilePrivilege 1112 wmic.exe Token: SeBackupPrivilege 1112 wmic.exe Token: SeRestorePrivilege 1112 wmic.exe Token: SeShutdownPrivilege 1112 wmic.exe Token: SeDebugPrivilege 1112 wmic.exe Token: SeSystemEnvironmentPrivilege 1112 wmic.exe Token: SeRemoteShutdownPrivilege 1112 wmic.exe Token: SeUndockPrivilege 1112 wmic.exe Token: SeManageVolumePrivilege 1112 wmic.exe Token: 33 1112 wmic.exe Token: 34 1112 wmic.exe Token: 35 1112 wmic.exe Token: SeIncreaseQuotaPrivilege 1112 wmic.exe Token: SeSecurityPrivilege 1112 wmic.exe Token: SeTakeOwnershipPrivilege 1112 wmic.exe Token: SeLoadDriverPrivilege 1112 wmic.exe Token: SeSystemProfilePrivilege 1112 wmic.exe Token: SeSystemtimePrivilege 1112 wmic.exe Token: SeProfSingleProcessPrivilege 1112 wmic.exe Token: SeIncBasePriorityPrivilege 1112 wmic.exe Token: SeCreatePagefilePrivilege 1112 wmic.exe Token: SeBackupPrivilege 1112 wmic.exe Token: SeRestorePrivilege 1112 wmic.exe Token: SeShutdownPrivilege 1112 wmic.exe Token: SeDebugPrivilege 1112 wmic.exe Token: SeSystemEnvironmentPrivilege 1112 wmic.exe Token: SeRemoteShutdownPrivilege 1112 wmic.exe Token: SeUndockPrivilege 1112 wmic.exe Token: SeManageVolumePrivilege 1112 wmic.exe Token: 33 1112 wmic.exe Token: 34 1112 wmic.exe Token: 35 1112 wmic.exe Token: SeIncreaseQuotaPrivilege 896 WMIC.exe Token: SeSecurityPrivilege 896 WMIC.exe Token: SeTakeOwnershipPrivilege 896 WMIC.exe Token: SeLoadDriverPrivilege 896 WMIC.exe Token: SeSystemProfilePrivilege 896 WMIC.exe Token: SeSystemtimePrivilege 896 WMIC.exe Token: SeProfSingleProcessPrivilege 896 WMIC.exe Token: SeIncBasePriorityPrivilege 896 WMIC.exe Token: SeCreatePagefilePrivilege 896 WMIC.exe Token: SeBackupPrivilege 896 WMIC.exe Token: SeRestorePrivilege 896 WMIC.exe Token: SeShutdownPrivilege 896 WMIC.exe Token: SeDebugPrivilege 896 WMIC.exe Token: SeSystemEnvironmentPrivilege 896 WMIC.exe Token: SeRemoteShutdownPrivilege 896 WMIC.exe Token: SeUndockPrivilege 896 WMIC.exe Token: SeManageVolumePrivilege 896 WMIC.exe Token: 33 896 WMIC.exe Token: 34 896 WMIC.exe Token: 35 896 WMIC.exe Token: SeIncreaseQuotaPrivilege 896 WMIC.exe Token: SeSecurityPrivilege 896 WMIC.exe Token: SeTakeOwnershipPrivilege 896 WMIC.exe Token: SeLoadDriverPrivilege 896 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.execmd.execmd.exedescription pid process target process PID 1296 wrote to memory of 1112 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 1296 wrote to memory of 1112 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 1296 wrote to memory of 1112 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 1296 wrote to memory of 1112 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 1296 wrote to memory of 1360 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1296 wrote to memory of 1360 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1296 wrote to memory of 1360 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1296 wrote to memory of 1360 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1360 wrote to memory of 896 1360 cmd.exe WMIC.exe PID 1360 wrote to memory of 896 1360 cmd.exe WMIC.exe PID 1360 wrote to memory of 896 1360 cmd.exe WMIC.exe PID 1360 wrote to memory of 896 1360 cmd.exe WMIC.exe PID 1296 wrote to memory of 992 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1296 wrote to memory of 992 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1296 wrote to memory of 992 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1296 wrote to memory of 992 1296 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 992 wrote to memory of 1560 992 cmd.exe WMIC.exe PID 992 wrote to memory of 1560 992 cmd.exe WMIC.exe PID 992 wrote to memory of 1560 992 cmd.exe WMIC.exe PID 992 wrote to memory of 1560 992 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:896 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:1560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD57634ebd082abbba35a8e6a300ec83c51
SHA1953666e70fbed932e4bed446f1d1e432781972b7
SHA256792aa1b2f647c981a8778a35717809ff0783bc4b6c022e6ed049c1029f6c584f
SHA5126f95e7c7c4548ad206294e5fc13f9ed0bad9476e5775ac4e06bd324c6e0a14382fcf5f604e5899084ee2f3733405716d60842f3393d5fa174902dbb055d40f3e