Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-02-2023 16:01
Behavioral task
behavioral1
Sample
2daf6321a7fb96cd0834ebd018e67dc2.exe
Resource
win7-20230220-en
General
-
Target
2daf6321a7fb96cd0834ebd018e67dc2.exe
-
Size
3.0MB
-
MD5
2daf6321a7fb96cd0834ebd018e67dc2
-
SHA1
a5a919af73f94ac824ee77df9c140a3a616518e8
-
SHA256
1bb3d1cfe99f7dcc5898431a3329c39eb6ca9d2e39072c83d469b3898c1a124f
-
SHA512
210a04c1d2397acc1d199b48076c7b7d434b4cfe02e25d090b95bd4ffe9cf29a17e4d849762657f033e1bd5cf40f319122e799d30ce80ad8176715b2ac7d6450
-
SSDEEP
49152:5Lx3cqFBYdH3EQK1EsBgcPaVsLFA8p9u1Xk1:02YEB1LO8p
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1056 wmic.exe Token: SeSecurityPrivilege 1056 wmic.exe Token: SeTakeOwnershipPrivilege 1056 wmic.exe Token: SeLoadDriverPrivilege 1056 wmic.exe Token: SeSystemProfilePrivilege 1056 wmic.exe Token: SeSystemtimePrivilege 1056 wmic.exe Token: SeProfSingleProcessPrivilege 1056 wmic.exe Token: SeIncBasePriorityPrivilege 1056 wmic.exe Token: SeCreatePagefilePrivilege 1056 wmic.exe Token: SeBackupPrivilege 1056 wmic.exe Token: SeRestorePrivilege 1056 wmic.exe Token: SeShutdownPrivilege 1056 wmic.exe Token: SeDebugPrivilege 1056 wmic.exe Token: SeSystemEnvironmentPrivilege 1056 wmic.exe Token: SeRemoteShutdownPrivilege 1056 wmic.exe Token: SeUndockPrivilege 1056 wmic.exe Token: SeManageVolumePrivilege 1056 wmic.exe Token: 33 1056 wmic.exe Token: 34 1056 wmic.exe Token: 35 1056 wmic.exe Token: SeIncreaseQuotaPrivilege 1056 wmic.exe Token: SeSecurityPrivilege 1056 wmic.exe Token: SeTakeOwnershipPrivilege 1056 wmic.exe Token: SeLoadDriverPrivilege 1056 wmic.exe Token: SeSystemProfilePrivilege 1056 wmic.exe Token: SeSystemtimePrivilege 1056 wmic.exe Token: SeProfSingleProcessPrivilege 1056 wmic.exe Token: SeIncBasePriorityPrivilege 1056 wmic.exe Token: SeCreatePagefilePrivilege 1056 wmic.exe Token: SeBackupPrivilege 1056 wmic.exe Token: SeRestorePrivilege 1056 wmic.exe Token: SeShutdownPrivilege 1056 wmic.exe Token: SeDebugPrivilege 1056 wmic.exe Token: SeSystemEnvironmentPrivilege 1056 wmic.exe Token: SeRemoteShutdownPrivilege 1056 wmic.exe Token: SeUndockPrivilege 1056 wmic.exe Token: SeManageVolumePrivilege 1056 wmic.exe Token: 33 1056 wmic.exe Token: 34 1056 wmic.exe Token: 35 1056 wmic.exe Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe Token: SeSystemProfilePrivilege 320 WMIC.exe Token: SeSystemtimePrivilege 320 WMIC.exe Token: SeProfSingleProcessPrivilege 320 WMIC.exe Token: SeIncBasePriorityPrivilege 320 WMIC.exe Token: SeCreatePagefilePrivilege 320 WMIC.exe Token: SeBackupPrivilege 320 WMIC.exe Token: SeRestorePrivilege 320 WMIC.exe Token: SeShutdownPrivilege 320 WMIC.exe Token: SeDebugPrivilege 320 WMIC.exe Token: SeSystemEnvironmentPrivilege 320 WMIC.exe Token: SeRemoteShutdownPrivilege 320 WMIC.exe Token: SeUndockPrivilege 320 WMIC.exe Token: SeManageVolumePrivilege 320 WMIC.exe Token: 33 320 WMIC.exe Token: 34 320 WMIC.exe Token: 35 320 WMIC.exe Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2daf6321a7fb96cd0834ebd018e67dc2.execmd.execmd.exedescription pid process target process PID 1336 wrote to memory of 1056 1336 2daf6321a7fb96cd0834ebd018e67dc2.exe wmic.exe PID 1336 wrote to memory of 1056 1336 2daf6321a7fb96cd0834ebd018e67dc2.exe wmic.exe PID 1336 wrote to memory of 1056 1336 2daf6321a7fb96cd0834ebd018e67dc2.exe wmic.exe PID 1336 wrote to memory of 276 1336 2daf6321a7fb96cd0834ebd018e67dc2.exe cmd.exe PID 1336 wrote to memory of 276 1336 2daf6321a7fb96cd0834ebd018e67dc2.exe cmd.exe PID 1336 wrote to memory of 276 1336 2daf6321a7fb96cd0834ebd018e67dc2.exe cmd.exe PID 276 wrote to memory of 320 276 cmd.exe WMIC.exe PID 276 wrote to memory of 320 276 cmd.exe WMIC.exe PID 276 wrote to memory of 320 276 cmd.exe WMIC.exe PID 1336 wrote to memory of 1736 1336 2daf6321a7fb96cd0834ebd018e67dc2.exe cmd.exe PID 1336 wrote to memory of 1736 1336 2daf6321a7fb96cd0834ebd018e67dc2.exe cmd.exe PID 1336 wrote to memory of 1736 1336 2daf6321a7fb96cd0834ebd018e67dc2.exe cmd.exe PID 1736 wrote to memory of 836 1736 cmd.exe WMIC.exe PID 1736 wrote to memory of 836 1736 cmd.exe WMIC.exe PID 1736 wrote to memory of 836 1736 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2daf6321a7fb96cd0834ebd018e67dc2.exe"C:\Users\Admin\AppData\Local\Temp\2daf6321a7fb96cd0834ebd018e67dc2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD5e5e23f78017d1e6eddfc8480e1679ee4
SHA10667bd1b7129b105bd2c66ef6ad54c9648aec072
SHA2564fed2f4c33a3876390d8520f184062927aca8e0ce3538127de3a2f66ea856d91
SHA512b1260e7ba7ad6d5dd0daeabc5f7cc1fc7a2e9259092f8d70d3d9eed923ed8aa60adcce4c27e9cb20966d500ed59edaaba9570f01d6a84180f1fb83e7b5c20049