Analysis
-
max time kernel
31s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-02-2023 12:06
Behavioral task
behavioral1
Sample
07b974442b53035b8d057a7b429c191fe71f149a69804.exe
Resource
win7-20230220-en
General
-
Target
07b974442b53035b8d057a7b429c191fe71f149a69804.exe
-
Size
3.0MB
-
MD5
af4268c094f2a9c6e6a85f8626b9a5c7
-
SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395
-
SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
-
SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
SSDEEP
49152:y2sQ8R/u6S/gPV4PW/vlLr8EdiITRf+EGg7dH1zaSo5hTk6k1qFG:yfQM/fSoPFNLQg1WT5Q
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1492 wmic.exe Token: SeSecurityPrivilege 1492 wmic.exe Token: SeTakeOwnershipPrivilege 1492 wmic.exe Token: SeLoadDriverPrivilege 1492 wmic.exe Token: SeSystemProfilePrivilege 1492 wmic.exe Token: SeSystemtimePrivilege 1492 wmic.exe Token: SeProfSingleProcessPrivilege 1492 wmic.exe Token: SeIncBasePriorityPrivilege 1492 wmic.exe Token: SeCreatePagefilePrivilege 1492 wmic.exe Token: SeBackupPrivilege 1492 wmic.exe Token: SeRestorePrivilege 1492 wmic.exe Token: SeShutdownPrivilege 1492 wmic.exe Token: SeDebugPrivilege 1492 wmic.exe Token: SeSystemEnvironmentPrivilege 1492 wmic.exe Token: SeRemoteShutdownPrivilege 1492 wmic.exe Token: SeUndockPrivilege 1492 wmic.exe Token: SeManageVolumePrivilege 1492 wmic.exe Token: 33 1492 wmic.exe Token: 34 1492 wmic.exe Token: 35 1492 wmic.exe Token: SeIncreaseQuotaPrivilege 1492 wmic.exe Token: SeSecurityPrivilege 1492 wmic.exe Token: SeTakeOwnershipPrivilege 1492 wmic.exe Token: SeLoadDriverPrivilege 1492 wmic.exe Token: SeSystemProfilePrivilege 1492 wmic.exe Token: SeSystemtimePrivilege 1492 wmic.exe Token: SeProfSingleProcessPrivilege 1492 wmic.exe Token: SeIncBasePriorityPrivilege 1492 wmic.exe Token: SeCreatePagefilePrivilege 1492 wmic.exe Token: SeBackupPrivilege 1492 wmic.exe Token: SeRestorePrivilege 1492 wmic.exe Token: SeShutdownPrivilege 1492 wmic.exe Token: SeDebugPrivilege 1492 wmic.exe Token: SeSystemEnvironmentPrivilege 1492 wmic.exe Token: SeRemoteShutdownPrivilege 1492 wmic.exe Token: SeUndockPrivilege 1492 wmic.exe Token: SeManageVolumePrivilege 1492 wmic.exe Token: 33 1492 wmic.exe Token: 34 1492 wmic.exe Token: 35 1492 wmic.exe Token: SeIncreaseQuotaPrivilege 388 WMIC.exe Token: SeSecurityPrivilege 388 WMIC.exe Token: SeTakeOwnershipPrivilege 388 WMIC.exe Token: SeLoadDriverPrivilege 388 WMIC.exe Token: SeSystemProfilePrivilege 388 WMIC.exe Token: SeSystemtimePrivilege 388 WMIC.exe Token: SeProfSingleProcessPrivilege 388 WMIC.exe Token: SeIncBasePriorityPrivilege 388 WMIC.exe Token: SeCreatePagefilePrivilege 388 WMIC.exe Token: SeBackupPrivilege 388 WMIC.exe Token: SeRestorePrivilege 388 WMIC.exe Token: SeShutdownPrivilege 388 WMIC.exe Token: SeDebugPrivilege 388 WMIC.exe Token: SeSystemEnvironmentPrivilege 388 WMIC.exe Token: SeRemoteShutdownPrivilege 388 WMIC.exe Token: SeUndockPrivilege 388 WMIC.exe Token: SeManageVolumePrivilege 388 WMIC.exe Token: 33 388 WMIC.exe Token: 34 388 WMIC.exe Token: 35 388 WMIC.exe Token: SeIncreaseQuotaPrivilege 388 WMIC.exe Token: SeSecurityPrivilege 388 WMIC.exe Token: SeTakeOwnershipPrivilege 388 WMIC.exe Token: SeLoadDriverPrivilege 388 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
07b974442b53035b8d057a7b429c191fe71f149a69804.execmd.execmd.exedescription pid process target process PID 912 wrote to memory of 1492 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe wmic.exe PID 912 wrote to memory of 1492 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe wmic.exe PID 912 wrote to memory of 1492 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe wmic.exe PID 912 wrote to memory of 1492 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe wmic.exe PID 912 wrote to memory of 1280 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe cmd.exe PID 912 wrote to memory of 1280 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe cmd.exe PID 912 wrote to memory of 1280 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe cmd.exe PID 912 wrote to memory of 1280 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe cmd.exe PID 1280 wrote to memory of 388 1280 cmd.exe WMIC.exe PID 1280 wrote to memory of 388 1280 cmd.exe WMIC.exe PID 1280 wrote to memory of 388 1280 cmd.exe WMIC.exe PID 1280 wrote to memory of 388 1280 cmd.exe WMIC.exe PID 912 wrote to memory of 780 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe cmd.exe PID 912 wrote to memory of 780 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe cmd.exe PID 912 wrote to memory of 780 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe cmd.exe PID 912 wrote to memory of 780 912 07b974442b53035b8d057a7b429c191fe71f149a69804.exe cmd.exe PID 780 wrote to memory of 1712 780 cmd.exe WMIC.exe PID 780 wrote to memory of 1712 780 cmd.exe WMIC.exe PID 780 wrote to memory of 1712 780 cmd.exe WMIC.exe PID 780 wrote to memory of 1712 780 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a69804.exe"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a69804.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:388 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:1712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD5dfeffc3924409d9c9d3c8cae05be922b
SHA1a89046cbf54c00e17ff0a5f3e1a8f01eb399bce4
SHA25606ea3ad1c1c1067bfdfaa5ad8a91632fac6cad9776ded85fa65d3b6181d89be6
SHA512d9614ecf528a2bf48cafe99a4c54d5c9f3656d628001fbf575d367d5ad8008cf30a58a7b3d9489d8534064442df89a7263df4a91d0863dcd6cc33574c576da33