Analysis
-
max time kernel
26s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-03-2023 20:21
Static task
static1
Behavioral task
behavioral1
Sample
4a39e396ddbd9c7116858b6f96a06eb2.exe
Resource
win7-20230220-en
General
-
Target
4a39e396ddbd9c7116858b6f96a06eb2.exe
-
Size
1.4MB
-
MD5
4a39e396ddbd9c7116858b6f96a06eb2
-
SHA1
53d51d7c43f6af46f720025eafbf346586bfae09
-
SHA256
b7318a38055034579cfb6799fd2cb264a6ef1a9f5d6952970474e4139374ef73
-
SHA512
03984f76e2050464bc6e9269d8c488a3f7d38bdda22ced6fdcb0c43522eec1248b00772cc8510944b4856185b40883a64537fa81d7ce73e55f4271fc726dcf37
-
SSDEEP
24576:mFsLW3eGfYYrd+z9tEdnJkQ8D9rgf2UhxVgnj20E+3b+sC5E2B7K1X42tdYyTr6i:BLWuMrpP8D98XYqY36sCFK1I2tqu2T47
Malware Config
Extracted
aurora
94.142.138.34:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 904 wmic.exe Token: SeSecurityPrivilege 904 wmic.exe Token: SeTakeOwnershipPrivilege 904 wmic.exe Token: SeLoadDriverPrivilege 904 wmic.exe Token: SeSystemProfilePrivilege 904 wmic.exe Token: SeSystemtimePrivilege 904 wmic.exe Token: SeProfSingleProcessPrivilege 904 wmic.exe Token: SeIncBasePriorityPrivilege 904 wmic.exe Token: SeCreatePagefilePrivilege 904 wmic.exe Token: SeBackupPrivilege 904 wmic.exe Token: SeRestorePrivilege 904 wmic.exe Token: SeShutdownPrivilege 904 wmic.exe Token: SeDebugPrivilege 904 wmic.exe Token: SeSystemEnvironmentPrivilege 904 wmic.exe Token: SeRemoteShutdownPrivilege 904 wmic.exe Token: SeUndockPrivilege 904 wmic.exe Token: SeManageVolumePrivilege 904 wmic.exe Token: 33 904 wmic.exe Token: 34 904 wmic.exe Token: 35 904 wmic.exe Token: SeIncreaseQuotaPrivilege 904 wmic.exe Token: SeSecurityPrivilege 904 wmic.exe Token: SeTakeOwnershipPrivilege 904 wmic.exe Token: SeLoadDriverPrivilege 904 wmic.exe Token: SeSystemProfilePrivilege 904 wmic.exe Token: SeSystemtimePrivilege 904 wmic.exe Token: SeProfSingleProcessPrivilege 904 wmic.exe Token: SeIncBasePriorityPrivilege 904 wmic.exe Token: SeCreatePagefilePrivilege 904 wmic.exe Token: SeBackupPrivilege 904 wmic.exe Token: SeRestorePrivilege 904 wmic.exe Token: SeShutdownPrivilege 904 wmic.exe Token: SeDebugPrivilege 904 wmic.exe Token: SeSystemEnvironmentPrivilege 904 wmic.exe Token: SeRemoteShutdownPrivilege 904 wmic.exe Token: SeUndockPrivilege 904 wmic.exe Token: SeManageVolumePrivilege 904 wmic.exe Token: 33 904 wmic.exe Token: 34 904 wmic.exe Token: 35 904 wmic.exe Token: SeIncreaseQuotaPrivilege 880 WMIC.exe Token: SeSecurityPrivilege 880 WMIC.exe Token: SeTakeOwnershipPrivilege 880 WMIC.exe Token: SeLoadDriverPrivilege 880 WMIC.exe Token: SeSystemProfilePrivilege 880 WMIC.exe Token: SeSystemtimePrivilege 880 WMIC.exe Token: SeProfSingleProcessPrivilege 880 WMIC.exe Token: SeIncBasePriorityPrivilege 880 WMIC.exe Token: SeCreatePagefilePrivilege 880 WMIC.exe Token: SeBackupPrivilege 880 WMIC.exe Token: SeRestorePrivilege 880 WMIC.exe Token: SeShutdownPrivilege 880 WMIC.exe Token: SeDebugPrivilege 880 WMIC.exe Token: SeSystemEnvironmentPrivilege 880 WMIC.exe Token: SeRemoteShutdownPrivilege 880 WMIC.exe Token: SeUndockPrivilege 880 WMIC.exe Token: SeManageVolumePrivilege 880 WMIC.exe Token: 33 880 WMIC.exe Token: 34 880 WMIC.exe Token: 35 880 WMIC.exe Token: SeIncreaseQuotaPrivilege 880 WMIC.exe Token: SeSecurityPrivilege 880 WMIC.exe Token: SeTakeOwnershipPrivilege 880 WMIC.exe Token: SeLoadDriverPrivilege 880 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
4a39e396ddbd9c7116858b6f96a06eb2.execmd.execmd.exedescription pid process target process PID 1336 wrote to memory of 904 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe wmic.exe PID 1336 wrote to memory of 904 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe wmic.exe PID 1336 wrote to memory of 904 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe wmic.exe PID 1336 wrote to memory of 904 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe wmic.exe PID 1336 wrote to memory of 1704 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 1336 wrote to memory of 1704 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 1336 wrote to memory of 1704 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 1336 wrote to memory of 1704 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 1704 wrote to memory of 880 1704 cmd.exe WMIC.exe PID 1704 wrote to memory of 880 1704 cmd.exe WMIC.exe PID 1704 wrote to memory of 880 1704 cmd.exe WMIC.exe PID 1704 wrote to memory of 880 1704 cmd.exe WMIC.exe PID 1336 wrote to memory of 932 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 1336 wrote to memory of 932 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 1336 wrote to memory of 932 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 1336 wrote to memory of 932 1336 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 932 wrote to memory of 1868 932 cmd.exe WMIC.exe PID 932 wrote to memory of 1868 932 cmd.exe WMIC.exe PID 932 wrote to memory of 1868 932 cmd.exe WMIC.exe PID 932 wrote to memory of 1868 932 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a39e396ddbd9c7116858b6f96a06eb2.exe"C:\Users\Admin\AppData\Local\Temp\4a39e396ddbd9c7116858b6f96a06eb2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD5e5e23f78017d1e6eddfc8480e1679ee4
SHA10667bd1b7129b105bd2c66ef6ad54c9648aec072
SHA2564fed2f4c33a3876390d8520f184062927aca8e0ce3538127de3a2f66ea856d91
SHA512b1260e7ba7ad6d5dd0daeabc5f7cc1fc7a2e9259092f8d70d3d9eed923ed8aa60adcce4c27e9cb20966d500ed59edaaba9570f01d6a84180f1fb83e7b5c20049
-
memory/1336-54-0x00000000021B0000-0x00000000022FA000-memory.dmpFilesize
1.3MB
-
memory/1336-55-0x0000000002300000-0x00000000025FF000-memory.dmpFilesize
3.0MB
-
memory/1336-87-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB
-
memory/1336-88-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB