Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2023 02:09
Static task
static1
General
-
Target
7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658.exe
-
Size
7.0MB
-
MD5
e309c8e66cb963033a3e8cc4b480f81d
-
SHA1
134e53048c0e8055cbb913779068f923751abd91
-
SHA256
7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658
-
SHA512
1fe506e3601e0ddabe6a2c096e1e588fbf5d2fc80cab4d379121895bc1c2d64b5da8b293637420e024e35bbb75217bccc6fc99368d51c39fc6ab5199e47587a3
-
SSDEEP
49152:1gjtfvNrQtMX9NQz0/BtRd8F4Ji8UUr8eNp2HEqkseUJc0In5:W7rQQvQzyR84JxF8eNp2HEqksPcd
Malware Config
Extracted
aurora
138.201.198.8:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4060 wmic.exe Token: SeSecurityPrivilege 4060 wmic.exe Token: SeTakeOwnershipPrivilege 4060 wmic.exe Token: SeLoadDriverPrivilege 4060 wmic.exe Token: SeSystemProfilePrivilege 4060 wmic.exe Token: SeSystemtimePrivilege 4060 wmic.exe Token: SeProfSingleProcessPrivilege 4060 wmic.exe Token: SeIncBasePriorityPrivilege 4060 wmic.exe Token: SeCreatePagefilePrivilege 4060 wmic.exe Token: SeBackupPrivilege 4060 wmic.exe Token: SeRestorePrivilege 4060 wmic.exe Token: SeShutdownPrivilege 4060 wmic.exe Token: SeDebugPrivilege 4060 wmic.exe Token: SeSystemEnvironmentPrivilege 4060 wmic.exe Token: SeRemoteShutdownPrivilege 4060 wmic.exe Token: SeUndockPrivilege 4060 wmic.exe Token: SeManageVolumePrivilege 4060 wmic.exe Token: 33 4060 wmic.exe Token: 34 4060 wmic.exe Token: 35 4060 wmic.exe Token: 36 4060 wmic.exe Token: SeIncreaseQuotaPrivilege 4060 wmic.exe Token: SeSecurityPrivilege 4060 wmic.exe Token: SeTakeOwnershipPrivilege 4060 wmic.exe Token: SeLoadDriverPrivilege 4060 wmic.exe Token: SeSystemProfilePrivilege 4060 wmic.exe Token: SeSystemtimePrivilege 4060 wmic.exe Token: SeProfSingleProcessPrivilege 4060 wmic.exe Token: SeIncBasePriorityPrivilege 4060 wmic.exe Token: SeCreatePagefilePrivilege 4060 wmic.exe Token: SeBackupPrivilege 4060 wmic.exe Token: SeRestorePrivilege 4060 wmic.exe Token: SeShutdownPrivilege 4060 wmic.exe Token: SeDebugPrivilege 4060 wmic.exe Token: SeSystemEnvironmentPrivilege 4060 wmic.exe Token: SeRemoteShutdownPrivilege 4060 wmic.exe Token: SeUndockPrivilege 4060 wmic.exe Token: SeManageVolumePrivilege 4060 wmic.exe Token: 33 4060 wmic.exe Token: 34 4060 wmic.exe Token: 35 4060 wmic.exe Token: 36 4060 wmic.exe Token: SeIncreaseQuotaPrivilege 1720 WMIC.exe Token: SeSecurityPrivilege 1720 WMIC.exe Token: SeTakeOwnershipPrivilege 1720 WMIC.exe Token: SeLoadDriverPrivilege 1720 WMIC.exe Token: SeSystemProfilePrivilege 1720 WMIC.exe Token: SeSystemtimePrivilege 1720 WMIC.exe Token: SeProfSingleProcessPrivilege 1720 WMIC.exe Token: SeIncBasePriorityPrivilege 1720 WMIC.exe Token: SeCreatePagefilePrivilege 1720 WMIC.exe Token: SeBackupPrivilege 1720 WMIC.exe Token: SeRestorePrivilege 1720 WMIC.exe Token: SeShutdownPrivilege 1720 WMIC.exe Token: SeDebugPrivilege 1720 WMIC.exe Token: SeSystemEnvironmentPrivilege 1720 WMIC.exe Token: SeRemoteShutdownPrivilege 1720 WMIC.exe Token: SeUndockPrivilege 1720 WMIC.exe Token: SeManageVolumePrivilege 1720 WMIC.exe Token: 33 1720 WMIC.exe Token: 34 1720 WMIC.exe Token: 35 1720 WMIC.exe Token: 36 1720 WMIC.exe Token: SeIncreaseQuotaPrivilege 1720 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658.execmd.execmd.exedescription pid process target process PID 2772 wrote to memory of 4060 2772 7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658.exe wmic.exe PID 2772 wrote to memory of 4060 2772 7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658.exe wmic.exe PID 2772 wrote to memory of 2196 2772 7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658.exe cmd.exe PID 2772 wrote to memory of 2196 2772 7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658.exe cmd.exe PID 2196 wrote to memory of 1720 2196 cmd.exe WMIC.exe PID 2196 wrote to memory of 1720 2196 cmd.exe WMIC.exe PID 2772 wrote to memory of 2944 2772 7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658.exe cmd.exe PID 2772 wrote to memory of 2944 2772 7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658.exe cmd.exe PID 2944 wrote to memory of 2716 2944 cmd.exe WMIC.exe PID 2944 wrote to memory of 2716 2944 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658.exe"C:\Users\Admin\AppData\Local\Temp\7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD518da5c19d469f921ff9d44f1f17de97b
SHA1bef606053494e1f516431d40f2aca29cf1deeb20
SHA256662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0
SHA5129eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD546988a922937a39036d6b71e62d0f966
SHA14a997f2a0360274ec7990aac156870a5a7030665
SHA2565954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6
SHA512dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d
-
memory/2772-133-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2772-134-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2772-135-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2772-136-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2772-137-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2772-138-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2772-139-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2772-192-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB