Analysis
-
max time kernel
30s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-03-2023 05:06
Behavioral task
behavioral1
Sample
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
Resource
win7-20230220-en
General
-
Target
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
-
Size
3.0MB
-
MD5
a8a106555b9e1f92569d623c66ee8c12
-
SHA1
a5080c26b5f5911c10d80654c84239a226fc75d1
-
SHA256
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
-
SHA512
9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
SSDEEP
49152:3WjN903V68U3f1uXAlL/EUSiITRf+EGg7dyvUCUDaB5+Tc6k1HFm:3IrIVbUYiLs4vUCU5T0w
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1724 wmic.exe Token: SeSecurityPrivilege 1724 wmic.exe Token: SeTakeOwnershipPrivilege 1724 wmic.exe Token: SeLoadDriverPrivilege 1724 wmic.exe Token: SeSystemProfilePrivilege 1724 wmic.exe Token: SeSystemtimePrivilege 1724 wmic.exe Token: SeProfSingleProcessPrivilege 1724 wmic.exe Token: SeIncBasePriorityPrivilege 1724 wmic.exe Token: SeCreatePagefilePrivilege 1724 wmic.exe Token: SeBackupPrivilege 1724 wmic.exe Token: SeRestorePrivilege 1724 wmic.exe Token: SeShutdownPrivilege 1724 wmic.exe Token: SeDebugPrivilege 1724 wmic.exe Token: SeSystemEnvironmentPrivilege 1724 wmic.exe Token: SeRemoteShutdownPrivilege 1724 wmic.exe Token: SeUndockPrivilege 1724 wmic.exe Token: SeManageVolumePrivilege 1724 wmic.exe Token: 33 1724 wmic.exe Token: 34 1724 wmic.exe Token: 35 1724 wmic.exe Token: SeIncreaseQuotaPrivilege 1724 wmic.exe Token: SeSecurityPrivilege 1724 wmic.exe Token: SeTakeOwnershipPrivilege 1724 wmic.exe Token: SeLoadDriverPrivilege 1724 wmic.exe Token: SeSystemProfilePrivilege 1724 wmic.exe Token: SeSystemtimePrivilege 1724 wmic.exe Token: SeProfSingleProcessPrivilege 1724 wmic.exe Token: SeIncBasePriorityPrivilege 1724 wmic.exe Token: SeCreatePagefilePrivilege 1724 wmic.exe Token: SeBackupPrivilege 1724 wmic.exe Token: SeRestorePrivilege 1724 wmic.exe Token: SeShutdownPrivilege 1724 wmic.exe Token: SeDebugPrivilege 1724 wmic.exe Token: SeSystemEnvironmentPrivilege 1724 wmic.exe Token: SeRemoteShutdownPrivilege 1724 wmic.exe Token: SeUndockPrivilege 1724 wmic.exe Token: SeManageVolumePrivilege 1724 wmic.exe Token: 33 1724 wmic.exe Token: 34 1724 wmic.exe Token: 35 1724 wmic.exe Token: SeIncreaseQuotaPrivilege 1740 WMIC.exe Token: SeSecurityPrivilege 1740 WMIC.exe Token: SeTakeOwnershipPrivilege 1740 WMIC.exe Token: SeLoadDriverPrivilege 1740 WMIC.exe Token: SeSystemProfilePrivilege 1740 WMIC.exe Token: SeSystemtimePrivilege 1740 WMIC.exe Token: SeProfSingleProcessPrivilege 1740 WMIC.exe Token: SeIncBasePriorityPrivilege 1740 WMIC.exe Token: SeCreatePagefilePrivilege 1740 WMIC.exe Token: SeBackupPrivilege 1740 WMIC.exe Token: SeRestorePrivilege 1740 WMIC.exe Token: SeShutdownPrivilege 1740 WMIC.exe Token: SeDebugPrivilege 1740 WMIC.exe Token: SeSystemEnvironmentPrivilege 1740 WMIC.exe Token: SeRemoteShutdownPrivilege 1740 WMIC.exe Token: SeUndockPrivilege 1740 WMIC.exe Token: SeManageVolumePrivilege 1740 WMIC.exe Token: 33 1740 WMIC.exe Token: 34 1740 WMIC.exe Token: 35 1740 WMIC.exe Token: SeIncreaseQuotaPrivilege 1740 WMIC.exe Token: SeSecurityPrivilege 1740 WMIC.exe Token: SeTakeOwnershipPrivilege 1740 WMIC.exe Token: SeLoadDriverPrivilege 1740 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.execmd.execmd.exedescription pid process target process PID 836 wrote to memory of 1724 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 836 wrote to memory of 1724 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 836 wrote to memory of 1724 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 836 wrote to memory of 1724 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 836 wrote to memory of 528 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 836 wrote to memory of 528 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 836 wrote to memory of 528 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 836 wrote to memory of 528 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 528 wrote to memory of 1740 528 cmd.exe WMIC.exe PID 528 wrote to memory of 1740 528 cmd.exe WMIC.exe PID 528 wrote to memory of 1740 528 cmd.exe WMIC.exe PID 528 wrote to memory of 1740 528 cmd.exe WMIC.exe PID 836 wrote to memory of 1272 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 836 wrote to memory of 1272 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 836 wrote to memory of 1272 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 836 wrote to memory of 1272 836 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1272 wrote to memory of 1504 1272 cmd.exe WMIC.exe PID 1272 wrote to memory of 1504 1272 cmd.exe WMIC.exe PID 1272 wrote to memory of 1504 1272 cmd.exe WMIC.exe PID 1272 wrote to memory of 1504 1272 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD56082dd13ad8102d17f9db9cd07600e97
SHA139becc88cea914d843b3c5521038907f2f2f4e71
SHA25640a3f938c8c1eb929771c444d5f8887c42c7cde6281690e2071a2593ba92e48a
SHA512b7d5c716b6339b3138492c8b0cf4c9540a8d8224f9d5e72e34ceab442bdfa9c855473bbed68a489851f019461e1b1f9d86baf067be556c67b948c930899d3c1e