Analysis
-
max time kernel
82s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-03-2023 20:21
Static task
static1
Behavioral task
behavioral1
Sample
4a39e396ddbd9c7116858b6f96a06eb2.exe
Resource
win7-20230220-en
General
-
Target
4a39e396ddbd9c7116858b6f96a06eb2.exe
-
Size
1.4MB
-
MD5
4a39e396ddbd9c7116858b6f96a06eb2
-
SHA1
53d51d7c43f6af46f720025eafbf346586bfae09
-
SHA256
b7318a38055034579cfb6799fd2cb264a6ef1a9f5d6952970474e4139374ef73
-
SHA512
03984f76e2050464bc6e9269d8c488a3f7d38bdda22ced6fdcb0c43522eec1248b00772cc8510944b4856185b40883a64537fa81d7ce73e55f4271fc726dcf37
-
SSDEEP
24576:mFsLW3eGfYYrd+z9tEdnJkQ8D9rgf2UhxVgnj20E+3b+sC5E2B7K1X42tdYyTr6i:BLWuMrpP8D98XYqY36sCFK1I2tqu2T47
Malware Config
Extracted
aurora
94.142.138.34:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1508 2000 WerFault.exe 4a39e396ddbd9c7116858b6f96a06eb2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3372 wmic.exe Token: SeSecurityPrivilege 3372 wmic.exe Token: SeTakeOwnershipPrivilege 3372 wmic.exe Token: SeLoadDriverPrivilege 3372 wmic.exe Token: SeSystemProfilePrivilege 3372 wmic.exe Token: SeSystemtimePrivilege 3372 wmic.exe Token: SeProfSingleProcessPrivilege 3372 wmic.exe Token: SeIncBasePriorityPrivilege 3372 wmic.exe Token: SeCreatePagefilePrivilege 3372 wmic.exe Token: SeBackupPrivilege 3372 wmic.exe Token: SeRestorePrivilege 3372 wmic.exe Token: SeShutdownPrivilege 3372 wmic.exe Token: SeDebugPrivilege 3372 wmic.exe Token: SeSystemEnvironmentPrivilege 3372 wmic.exe Token: SeRemoteShutdownPrivilege 3372 wmic.exe Token: SeUndockPrivilege 3372 wmic.exe Token: SeManageVolumePrivilege 3372 wmic.exe Token: 33 3372 wmic.exe Token: 34 3372 wmic.exe Token: 35 3372 wmic.exe Token: 36 3372 wmic.exe Token: SeIncreaseQuotaPrivilege 3372 wmic.exe Token: SeSecurityPrivilege 3372 wmic.exe Token: SeTakeOwnershipPrivilege 3372 wmic.exe Token: SeLoadDriverPrivilege 3372 wmic.exe Token: SeSystemProfilePrivilege 3372 wmic.exe Token: SeSystemtimePrivilege 3372 wmic.exe Token: SeProfSingleProcessPrivilege 3372 wmic.exe Token: SeIncBasePriorityPrivilege 3372 wmic.exe Token: SeCreatePagefilePrivilege 3372 wmic.exe Token: SeBackupPrivilege 3372 wmic.exe Token: SeRestorePrivilege 3372 wmic.exe Token: SeShutdownPrivilege 3372 wmic.exe Token: SeDebugPrivilege 3372 wmic.exe Token: SeSystemEnvironmentPrivilege 3372 wmic.exe Token: SeRemoteShutdownPrivilege 3372 wmic.exe Token: SeUndockPrivilege 3372 wmic.exe Token: SeManageVolumePrivilege 3372 wmic.exe Token: 33 3372 wmic.exe Token: 34 3372 wmic.exe Token: 35 3372 wmic.exe Token: 36 3372 wmic.exe Token: SeIncreaseQuotaPrivilege 4924 WMIC.exe Token: SeSecurityPrivilege 4924 WMIC.exe Token: SeTakeOwnershipPrivilege 4924 WMIC.exe Token: SeLoadDriverPrivilege 4924 WMIC.exe Token: SeSystemProfilePrivilege 4924 WMIC.exe Token: SeSystemtimePrivilege 4924 WMIC.exe Token: SeProfSingleProcessPrivilege 4924 WMIC.exe Token: SeIncBasePriorityPrivilege 4924 WMIC.exe Token: SeCreatePagefilePrivilege 4924 WMIC.exe Token: SeBackupPrivilege 4924 WMIC.exe Token: SeRestorePrivilege 4924 WMIC.exe Token: SeShutdownPrivilege 4924 WMIC.exe Token: SeDebugPrivilege 4924 WMIC.exe Token: SeSystemEnvironmentPrivilege 4924 WMIC.exe Token: SeRemoteShutdownPrivilege 4924 WMIC.exe Token: SeUndockPrivilege 4924 WMIC.exe Token: SeManageVolumePrivilege 4924 WMIC.exe Token: 33 4924 WMIC.exe Token: 34 4924 WMIC.exe Token: 35 4924 WMIC.exe Token: 36 4924 WMIC.exe Token: SeIncreaseQuotaPrivilege 4924 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4a39e396ddbd9c7116858b6f96a06eb2.execmd.execmd.exedescription pid process target process PID 2000 wrote to memory of 3372 2000 4a39e396ddbd9c7116858b6f96a06eb2.exe wmic.exe PID 2000 wrote to memory of 3372 2000 4a39e396ddbd9c7116858b6f96a06eb2.exe wmic.exe PID 2000 wrote to memory of 3372 2000 4a39e396ddbd9c7116858b6f96a06eb2.exe wmic.exe PID 2000 wrote to memory of 3472 2000 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 2000 wrote to memory of 3472 2000 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 2000 wrote to memory of 3472 2000 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 3472 wrote to memory of 4924 3472 cmd.exe WMIC.exe PID 3472 wrote to memory of 4924 3472 cmd.exe WMIC.exe PID 3472 wrote to memory of 4924 3472 cmd.exe WMIC.exe PID 2000 wrote to memory of 1696 2000 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 2000 wrote to memory of 1696 2000 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 2000 wrote to memory of 1696 2000 4a39e396ddbd9c7116858b6f96a06eb2.exe cmd.exe PID 1696 wrote to memory of 4988 1696 cmd.exe WMIC.exe PID 1696 wrote to memory of 4988 1696 cmd.exe WMIC.exe PID 1696 wrote to memory of 4988 1696 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a39e396ddbd9c7116858b6f96a06eb2.exe"C:\Users\Admin\AppData\Local\Temp\4a39e396ddbd9c7116858b6f96a06eb2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 7402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2000 -ip 20001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD5dce9b749d38fdc247ab517e8a76e6102
SHA1d6c5b6548e1a3da3326bd097c50c49fc7906be3f
SHA2565087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7
SHA51256c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD592d24961d2ebaacf1ace5463dfc9930d
SHA199ffaf6904ab616c33a37ce01d383e4a493df335
SHA2569013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3
SHA51277598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7
-
memory/2000-134-0x00000000024D0000-0x00000000027CF000-memory.dmpFilesize
3.0MB
-
memory/2000-187-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB