Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-02-2023 22:17
Behavioral task
behavioral1
Sample
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
Resource
win7-20230220-en
General
-
Target
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
-
Size
3.0MB
-
MD5
af4268c094f2a9c6e6a85f8626b9a5c7
-
SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395
-
SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
-
SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
SSDEEP
49152:y2sQ8R/u6S/gPV4PW/vlLr8EdiITRf+EGg7dH1zaSo5hTk6k1qFG:yfQM/fSoPFNLQg1WT5Q
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 684 wmic.exe Token: SeSecurityPrivilege 684 wmic.exe Token: SeTakeOwnershipPrivilege 684 wmic.exe Token: SeLoadDriverPrivilege 684 wmic.exe Token: SeSystemProfilePrivilege 684 wmic.exe Token: SeSystemtimePrivilege 684 wmic.exe Token: SeProfSingleProcessPrivilege 684 wmic.exe Token: SeIncBasePriorityPrivilege 684 wmic.exe Token: SeCreatePagefilePrivilege 684 wmic.exe Token: SeBackupPrivilege 684 wmic.exe Token: SeRestorePrivilege 684 wmic.exe Token: SeShutdownPrivilege 684 wmic.exe Token: SeDebugPrivilege 684 wmic.exe Token: SeSystemEnvironmentPrivilege 684 wmic.exe Token: SeRemoteShutdownPrivilege 684 wmic.exe Token: SeUndockPrivilege 684 wmic.exe Token: SeManageVolumePrivilege 684 wmic.exe Token: 33 684 wmic.exe Token: 34 684 wmic.exe Token: 35 684 wmic.exe Token: SeIncreaseQuotaPrivilege 684 wmic.exe Token: SeSecurityPrivilege 684 wmic.exe Token: SeTakeOwnershipPrivilege 684 wmic.exe Token: SeLoadDriverPrivilege 684 wmic.exe Token: SeSystemProfilePrivilege 684 wmic.exe Token: SeSystemtimePrivilege 684 wmic.exe Token: SeProfSingleProcessPrivilege 684 wmic.exe Token: SeIncBasePriorityPrivilege 684 wmic.exe Token: SeCreatePagefilePrivilege 684 wmic.exe Token: SeBackupPrivilege 684 wmic.exe Token: SeRestorePrivilege 684 wmic.exe Token: SeShutdownPrivilege 684 wmic.exe Token: SeDebugPrivilege 684 wmic.exe Token: SeSystemEnvironmentPrivilege 684 wmic.exe Token: SeRemoteShutdownPrivilege 684 wmic.exe Token: SeUndockPrivilege 684 wmic.exe Token: SeManageVolumePrivilege 684 wmic.exe Token: 33 684 wmic.exe Token: 34 684 wmic.exe Token: 35 684 wmic.exe Token: SeIncreaseQuotaPrivilege 1760 WMIC.exe Token: SeSecurityPrivilege 1760 WMIC.exe Token: SeTakeOwnershipPrivilege 1760 WMIC.exe Token: SeLoadDriverPrivilege 1760 WMIC.exe Token: SeSystemProfilePrivilege 1760 WMIC.exe Token: SeSystemtimePrivilege 1760 WMIC.exe Token: SeProfSingleProcessPrivilege 1760 WMIC.exe Token: SeIncBasePriorityPrivilege 1760 WMIC.exe Token: SeCreatePagefilePrivilege 1760 WMIC.exe Token: SeBackupPrivilege 1760 WMIC.exe Token: SeRestorePrivilege 1760 WMIC.exe Token: SeShutdownPrivilege 1760 WMIC.exe Token: SeDebugPrivilege 1760 WMIC.exe Token: SeSystemEnvironmentPrivilege 1760 WMIC.exe Token: SeRemoteShutdownPrivilege 1760 WMIC.exe Token: SeUndockPrivilege 1760 WMIC.exe Token: SeManageVolumePrivilege 1760 WMIC.exe Token: 33 1760 WMIC.exe Token: 34 1760 WMIC.exe Token: 35 1760 WMIC.exe Token: SeIncreaseQuotaPrivilege 1760 WMIC.exe Token: SeSecurityPrivilege 1760 WMIC.exe Token: SeTakeOwnershipPrivilege 1760 WMIC.exe Token: SeLoadDriverPrivilege 1760 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.execmd.execmd.exedescription pid process target process PID 1260 wrote to memory of 684 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 1260 wrote to memory of 684 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 1260 wrote to memory of 684 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 1260 wrote to memory of 684 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 1260 wrote to memory of 1680 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1260 wrote to memory of 1680 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1260 wrote to memory of 1680 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1260 wrote to memory of 1680 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1680 wrote to memory of 1760 1680 cmd.exe WMIC.exe PID 1680 wrote to memory of 1760 1680 cmd.exe WMIC.exe PID 1680 wrote to memory of 1760 1680 cmd.exe WMIC.exe PID 1680 wrote to memory of 1760 1680 cmd.exe WMIC.exe PID 1260 wrote to memory of 1408 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1260 wrote to memory of 1408 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1260 wrote to memory of 1408 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1260 wrote to memory of 1408 1260 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1408 wrote to memory of 1212 1408 cmd.exe WMIC.exe PID 1408 wrote to memory of 1212 1408 cmd.exe WMIC.exe PID 1408 wrote to memory of 1212 1408 cmd.exe WMIC.exe PID 1408 wrote to memory of 1212 1408 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:684 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:1212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD5e5e81f0ae5ba9a2ac3db0a17d3c9f810
SHA1c2d6bdf002325094ff399b1e4c36df575b48ee4f
SHA256a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3
SHA512cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce