Analysis
-
max time kernel
62s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-03-2023 22:34
Behavioral task
behavioral1
Sample
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
Resource
win7-20230220-en
General
-
Target
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
-
Size
3.0MB
-
MD5
a8a106555b9e1f92569d623c66ee8c12
-
SHA1
a5080c26b5f5911c10d80654c84239a226fc75d1
-
SHA256
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
-
SHA512
9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
SSDEEP
49152:3WjN903V68U3f1uXAlL/EUSiITRf+EGg7dyvUCUDaB5+Tc6k1HFm:3IrIVbUYiLs4vUCU5T0w
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1040 wmic.exe Token: SeSecurityPrivilege 1040 wmic.exe Token: SeTakeOwnershipPrivilege 1040 wmic.exe Token: SeLoadDriverPrivilege 1040 wmic.exe Token: SeSystemProfilePrivilege 1040 wmic.exe Token: SeSystemtimePrivilege 1040 wmic.exe Token: SeProfSingleProcessPrivilege 1040 wmic.exe Token: SeIncBasePriorityPrivilege 1040 wmic.exe Token: SeCreatePagefilePrivilege 1040 wmic.exe Token: SeBackupPrivilege 1040 wmic.exe Token: SeRestorePrivilege 1040 wmic.exe Token: SeShutdownPrivilege 1040 wmic.exe Token: SeDebugPrivilege 1040 wmic.exe Token: SeSystemEnvironmentPrivilege 1040 wmic.exe Token: SeRemoteShutdownPrivilege 1040 wmic.exe Token: SeUndockPrivilege 1040 wmic.exe Token: SeManageVolumePrivilege 1040 wmic.exe Token: 33 1040 wmic.exe Token: 34 1040 wmic.exe Token: 35 1040 wmic.exe Token: SeIncreaseQuotaPrivilege 1040 wmic.exe Token: SeSecurityPrivilege 1040 wmic.exe Token: SeTakeOwnershipPrivilege 1040 wmic.exe Token: SeLoadDriverPrivilege 1040 wmic.exe Token: SeSystemProfilePrivilege 1040 wmic.exe Token: SeSystemtimePrivilege 1040 wmic.exe Token: SeProfSingleProcessPrivilege 1040 wmic.exe Token: SeIncBasePriorityPrivilege 1040 wmic.exe Token: SeCreatePagefilePrivilege 1040 wmic.exe Token: SeBackupPrivilege 1040 wmic.exe Token: SeRestorePrivilege 1040 wmic.exe Token: SeShutdownPrivilege 1040 wmic.exe Token: SeDebugPrivilege 1040 wmic.exe Token: SeSystemEnvironmentPrivilege 1040 wmic.exe Token: SeRemoteShutdownPrivilege 1040 wmic.exe Token: SeUndockPrivilege 1040 wmic.exe Token: SeManageVolumePrivilege 1040 wmic.exe Token: 33 1040 wmic.exe Token: 34 1040 wmic.exe Token: 35 1040 wmic.exe Token: SeIncreaseQuotaPrivilege 1324 WMIC.exe Token: SeSecurityPrivilege 1324 WMIC.exe Token: SeTakeOwnershipPrivilege 1324 WMIC.exe Token: SeLoadDriverPrivilege 1324 WMIC.exe Token: SeSystemProfilePrivilege 1324 WMIC.exe Token: SeSystemtimePrivilege 1324 WMIC.exe Token: SeProfSingleProcessPrivilege 1324 WMIC.exe Token: SeIncBasePriorityPrivilege 1324 WMIC.exe Token: SeCreatePagefilePrivilege 1324 WMIC.exe Token: SeBackupPrivilege 1324 WMIC.exe Token: SeRestorePrivilege 1324 WMIC.exe Token: SeShutdownPrivilege 1324 WMIC.exe Token: SeDebugPrivilege 1324 WMIC.exe Token: SeSystemEnvironmentPrivilege 1324 WMIC.exe Token: SeRemoteShutdownPrivilege 1324 WMIC.exe Token: SeUndockPrivilege 1324 WMIC.exe Token: SeManageVolumePrivilege 1324 WMIC.exe Token: 33 1324 WMIC.exe Token: 34 1324 WMIC.exe Token: 35 1324 WMIC.exe Token: SeIncreaseQuotaPrivilege 1324 WMIC.exe Token: SeSecurityPrivilege 1324 WMIC.exe Token: SeTakeOwnershipPrivilege 1324 WMIC.exe Token: SeLoadDriverPrivilege 1324 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.execmd.execmd.exedescription pid process target process PID 1584 wrote to memory of 1040 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1584 wrote to memory of 1040 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1584 wrote to memory of 1040 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1584 wrote to memory of 1040 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1584 wrote to memory of 320 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1584 wrote to memory of 320 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1584 wrote to memory of 320 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1584 wrote to memory of 320 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 320 wrote to memory of 1324 320 cmd.exe WMIC.exe PID 320 wrote to memory of 1324 320 cmd.exe WMIC.exe PID 320 wrote to memory of 1324 320 cmd.exe WMIC.exe PID 320 wrote to memory of 1324 320 cmd.exe WMIC.exe PID 1584 wrote to memory of 1860 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1584 wrote to memory of 1860 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1584 wrote to memory of 1860 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1584 wrote to memory of 1860 1584 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1860 wrote to memory of 548 1860 cmd.exe WMIC.exe PID 1860 wrote to memory of 548 1860 cmd.exe WMIC.exe PID 1860 wrote to memory of 548 1860 cmd.exe WMIC.exe PID 1860 wrote to memory of 548 1860 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD52beb695add0546f6a18496aae58b2558
SHA11fd818202a94825c56ad7a7793bea87c6f02960e
SHA256132cb7037ada7d8563c5b8cf64796ed22b0fbc1ccefbbbf5faa3c18545b289ed
SHA512e80fa42ab27afa16e0f6f72639077be7da3e73f7c7b4cecbe0d24637ee76334de77a2b61e7c3afab4e3750e53a93baa68d3cdb9c1eb55fb9a5d580cff94f21f2