Analysis
-
max time kernel
56s -
max time network
161s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
25-02-2023 22:17
Behavioral task
behavioral1
Sample
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
Resource
win7-20230220-en
General
-
Target
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
-
Size
3.0MB
-
MD5
af4268c094f2a9c6e6a85f8626b9a5c7
-
SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395
-
SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
-
SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
SSDEEP
49152:y2sQ8R/u6S/gPV4PW/vlLr8EdiITRf+EGg7dH1zaSo5hTk6k1qFG:yfQM/fSoPFNLQg1WT5Q
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2052 wmic.exe Token: SeSecurityPrivilege 2052 wmic.exe Token: SeTakeOwnershipPrivilege 2052 wmic.exe Token: SeLoadDriverPrivilege 2052 wmic.exe Token: SeSystemProfilePrivilege 2052 wmic.exe Token: SeSystemtimePrivilege 2052 wmic.exe Token: SeProfSingleProcessPrivilege 2052 wmic.exe Token: SeIncBasePriorityPrivilege 2052 wmic.exe Token: SeCreatePagefilePrivilege 2052 wmic.exe Token: SeBackupPrivilege 2052 wmic.exe Token: SeRestorePrivilege 2052 wmic.exe Token: SeShutdownPrivilege 2052 wmic.exe Token: SeDebugPrivilege 2052 wmic.exe Token: SeSystemEnvironmentPrivilege 2052 wmic.exe Token: SeRemoteShutdownPrivilege 2052 wmic.exe Token: SeUndockPrivilege 2052 wmic.exe Token: SeManageVolumePrivilege 2052 wmic.exe Token: 33 2052 wmic.exe Token: 34 2052 wmic.exe Token: 35 2052 wmic.exe Token: 36 2052 wmic.exe Token: SeIncreaseQuotaPrivilege 2052 wmic.exe Token: SeSecurityPrivilege 2052 wmic.exe Token: SeTakeOwnershipPrivilege 2052 wmic.exe Token: SeLoadDriverPrivilege 2052 wmic.exe Token: SeSystemProfilePrivilege 2052 wmic.exe Token: SeSystemtimePrivilege 2052 wmic.exe Token: SeProfSingleProcessPrivilege 2052 wmic.exe Token: SeIncBasePriorityPrivilege 2052 wmic.exe Token: SeCreatePagefilePrivilege 2052 wmic.exe Token: SeBackupPrivilege 2052 wmic.exe Token: SeRestorePrivilege 2052 wmic.exe Token: SeShutdownPrivilege 2052 wmic.exe Token: SeDebugPrivilege 2052 wmic.exe Token: SeSystemEnvironmentPrivilege 2052 wmic.exe Token: SeRemoteShutdownPrivilege 2052 wmic.exe Token: SeUndockPrivilege 2052 wmic.exe Token: SeManageVolumePrivilege 2052 wmic.exe Token: 33 2052 wmic.exe Token: 34 2052 wmic.exe Token: 35 2052 wmic.exe Token: 36 2052 wmic.exe Token: SeIncreaseQuotaPrivilege 3928 WMIC.exe Token: SeSecurityPrivilege 3928 WMIC.exe Token: SeTakeOwnershipPrivilege 3928 WMIC.exe Token: SeLoadDriverPrivilege 3928 WMIC.exe Token: SeSystemProfilePrivilege 3928 WMIC.exe Token: SeSystemtimePrivilege 3928 WMIC.exe Token: SeProfSingleProcessPrivilege 3928 WMIC.exe Token: SeIncBasePriorityPrivilege 3928 WMIC.exe Token: SeCreatePagefilePrivilege 3928 WMIC.exe Token: SeBackupPrivilege 3928 WMIC.exe Token: SeRestorePrivilege 3928 WMIC.exe Token: SeShutdownPrivilege 3928 WMIC.exe Token: SeDebugPrivilege 3928 WMIC.exe Token: SeSystemEnvironmentPrivilege 3928 WMIC.exe Token: SeRemoteShutdownPrivilege 3928 WMIC.exe Token: SeUndockPrivilege 3928 WMIC.exe Token: SeManageVolumePrivilege 3928 WMIC.exe Token: 33 3928 WMIC.exe Token: 34 3928 WMIC.exe Token: 35 3928 WMIC.exe Token: 36 3928 WMIC.exe Token: SeIncreaseQuotaPrivilege 3928 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.execmd.execmd.exedescription pid process target process PID 1736 wrote to memory of 2052 1736 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 1736 wrote to memory of 2052 1736 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 1736 wrote to memory of 2052 1736 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe wmic.exe PID 1736 wrote to memory of 1468 1736 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1736 wrote to memory of 1468 1736 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1736 wrote to memory of 1468 1736 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1468 wrote to memory of 3928 1468 cmd.exe WMIC.exe PID 1468 wrote to memory of 3928 1468 cmd.exe WMIC.exe PID 1468 wrote to memory of 3928 1468 cmd.exe WMIC.exe PID 1736 wrote to memory of 4688 1736 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1736 wrote to memory of 4688 1736 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 1736 wrote to memory of 4688 1736 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe cmd.exe PID 4688 wrote to memory of 956 4688 cmd.exe WMIC.exe PID 4688 wrote to memory of 956 4688 cmd.exe WMIC.exe PID 4688 wrote to memory of 956 4688 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD595a12fa5756d0040e1c1284371ea17e4
SHA1a9c9c457a87ecca994364b6b0a8bbe815c64197d
SHA256805458918a058fbae738b7e4fc57e4d3b8317adf26d11b9b9e53e22bc946b562
SHA5121d71748f56e83e3d8e68bcec6a17ace238d904e767a10ef20c86be8c785ab3c3fea60c832e3b68e0277467ac1b053849d1f3d52bd872b2b9aa7206616ced56c5