Analysis
-
max time kernel
30s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15-03-2023 22:36
Behavioral task
behavioral1
Sample
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
Resource
win7-20230220-en
General
-
Target
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
-
Size
3.0MB
-
MD5
a8a106555b9e1f92569d623c66ee8c12
-
SHA1
a5080c26b5f5911c10d80654c84239a226fc75d1
-
SHA256
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
-
SHA512
9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
SSDEEP
49152:3WjN903V68U3f1uXAlL/EUSiITRf+EGg7dyvUCUDaB5+Tc6k1HFm:3IrIVbUYiLs4vUCU5T0w
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1208 wmic.exe Token: SeSecurityPrivilege 1208 wmic.exe Token: SeTakeOwnershipPrivilege 1208 wmic.exe Token: SeLoadDriverPrivilege 1208 wmic.exe Token: SeSystemProfilePrivilege 1208 wmic.exe Token: SeSystemtimePrivilege 1208 wmic.exe Token: SeProfSingleProcessPrivilege 1208 wmic.exe Token: SeIncBasePriorityPrivilege 1208 wmic.exe Token: SeCreatePagefilePrivilege 1208 wmic.exe Token: SeBackupPrivilege 1208 wmic.exe Token: SeRestorePrivilege 1208 wmic.exe Token: SeShutdownPrivilege 1208 wmic.exe Token: SeDebugPrivilege 1208 wmic.exe Token: SeSystemEnvironmentPrivilege 1208 wmic.exe Token: SeRemoteShutdownPrivilege 1208 wmic.exe Token: SeUndockPrivilege 1208 wmic.exe Token: SeManageVolumePrivilege 1208 wmic.exe Token: 33 1208 wmic.exe Token: 34 1208 wmic.exe Token: 35 1208 wmic.exe Token: SeIncreaseQuotaPrivilege 1208 wmic.exe Token: SeSecurityPrivilege 1208 wmic.exe Token: SeTakeOwnershipPrivilege 1208 wmic.exe Token: SeLoadDriverPrivilege 1208 wmic.exe Token: SeSystemProfilePrivilege 1208 wmic.exe Token: SeSystemtimePrivilege 1208 wmic.exe Token: SeProfSingleProcessPrivilege 1208 wmic.exe Token: SeIncBasePriorityPrivilege 1208 wmic.exe Token: SeCreatePagefilePrivilege 1208 wmic.exe Token: SeBackupPrivilege 1208 wmic.exe Token: SeRestorePrivilege 1208 wmic.exe Token: SeShutdownPrivilege 1208 wmic.exe Token: SeDebugPrivilege 1208 wmic.exe Token: SeSystemEnvironmentPrivilege 1208 wmic.exe Token: SeRemoteShutdownPrivilege 1208 wmic.exe Token: SeUndockPrivilege 1208 wmic.exe Token: SeManageVolumePrivilege 1208 wmic.exe Token: 33 1208 wmic.exe Token: 34 1208 wmic.exe Token: 35 1208 wmic.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.execmd.execmd.exedescription pid process target process PID 1400 wrote to memory of 1208 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1400 wrote to memory of 1208 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1400 wrote to memory of 1208 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1400 wrote to memory of 1208 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1400 wrote to memory of 920 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1400 wrote to memory of 920 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1400 wrote to memory of 920 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1400 wrote to memory of 920 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 920 wrote to memory of 1496 920 cmd.exe WMIC.exe PID 920 wrote to memory of 1496 920 cmd.exe WMIC.exe PID 920 wrote to memory of 1496 920 cmd.exe WMIC.exe PID 920 wrote to memory of 1496 920 cmd.exe WMIC.exe PID 1400 wrote to memory of 1448 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1400 wrote to memory of 1448 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1400 wrote to memory of 1448 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1400 wrote to memory of 1448 1400 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1448 wrote to memory of 1592 1448 cmd.exe WMIC.exe PID 1448 wrote to memory of 1592 1448 cmd.exe WMIC.exe PID 1448 wrote to memory of 1592 1448 cmd.exe WMIC.exe PID 1448 wrote to memory of 1592 1448 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD5e5e81f0ae5ba9a2ac3db0a17d3c9f810
SHA1c2d6bdf002325094ff399b1e4c36df575b48ee4f
SHA256a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3
SHA512cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce