Analysis
-
max time kernel
31s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15-03-2023 03:08
Behavioral task
behavioral1
Sample
uni2.exe
Resource
win7-20230220-en
General
-
Target
uni2.exe
-
Size
3.0MB
-
MD5
7b7f66624ef0b602dc8b5cf5ab0e0cc7
-
SHA1
7ce5ff0bc6ed6160b34d110f58c4e3b3131b6471
-
SHA256
417aee1f9b38131b40df67ca5ade203e6e45fb3b2928ba209ef2afacc3d6d8fe
-
SHA512
622a202c7ad573c7f6d98905b7b4edeb8e0084d069e3943fbfc03046df5f19fe48e48aeda4f8c396a8a79fa85f136720cc3312c8a8cb6564a9928a76fe1f4e8d
-
SSDEEP
49152:n2F3dmZsmanH2CXOwjygvaBsLFA8pHht8k1r:aPmEjpLO8pZ
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 904 wmic.exe Token: SeSecurityPrivilege 904 wmic.exe Token: SeTakeOwnershipPrivilege 904 wmic.exe Token: SeLoadDriverPrivilege 904 wmic.exe Token: SeSystemProfilePrivilege 904 wmic.exe Token: SeSystemtimePrivilege 904 wmic.exe Token: SeProfSingleProcessPrivilege 904 wmic.exe Token: SeIncBasePriorityPrivilege 904 wmic.exe Token: SeCreatePagefilePrivilege 904 wmic.exe Token: SeBackupPrivilege 904 wmic.exe Token: SeRestorePrivilege 904 wmic.exe Token: SeShutdownPrivilege 904 wmic.exe Token: SeDebugPrivilege 904 wmic.exe Token: SeSystemEnvironmentPrivilege 904 wmic.exe Token: SeRemoteShutdownPrivilege 904 wmic.exe Token: SeUndockPrivilege 904 wmic.exe Token: SeManageVolumePrivilege 904 wmic.exe Token: 33 904 wmic.exe Token: 34 904 wmic.exe Token: 35 904 wmic.exe Token: SeIncreaseQuotaPrivilege 904 wmic.exe Token: SeSecurityPrivilege 904 wmic.exe Token: SeTakeOwnershipPrivilege 904 wmic.exe Token: SeLoadDriverPrivilege 904 wmic.exe Token: SeSystemProfilePrivilege 904 wmic.exe Token: SeSystemtimePrivilege 904 wmic.exe Token: SeProfSingleProcessPrivilege 904 wmic.exe Token: SeIncBasePriorityPrivilege 904 wmic.exe Token: SeCreatePagefilePrivilege 904 wmic.exe Token: SeBackupPrivilege 904 wmic.exe Token: SeRestorePrivilege 904 wmic.exe Token: SeShutdownPrivilege 904 wmic.exe Token: SeDebugPrivilege 904 wmic.exe Token: SeSystemEnvironmentPrivilege 904 wmic.exe Token: SeRemoteShutdownPrivilege 904 wmic.exe Token: SeUndockPrivilege 904 wmic.exe Token: SeManageVolumePrivilege 904 wmic.exe Token: 33 904 wmic.exe Token: 34 904 wmic.exe Token: 35 904 wmic.exe Token: SeIncreaseQuotaPrivilege 1736 WMIC.exe Token: SeSecurityPrivilege 1736 WMIC.exe Token: SeTakeOwnershipPrivilege 1736 WMIC.exe Token: SeLoadDriverPrivilege 1736 WMIC.exe Token: SeSystemProfilePrivilege 1736 WMIC.exe Token: SeSystemtimePrivilege 1736 WMIC.exe Token: SeProfSingleProcessPrivilege 1736 WMIC.exe Token: SeIncBasePriorityPrivilege 1736 WMIC.exe Token: SeCreatePagefilePrivilege 1736 WMIC.exe Token: SeBackupPrivilege 1736 WMIC.exe Token: SeRestorePrivilege 1736 WMIC.exe Token: SeShutdownPrivilege 1736 WMIC.exe Token: SeDebugPrivilege 1736 WMIC.exe Token: SeSystemEnvironmentPrivilege 1736 WMIC.exe Token: SeRemoteShutdownPrivilege 1736 WMIC.exe Token: SeUndockPrivilege 1736 WMIC.exe Token: SeManageVolumePrivilege 1736 WMIC.exe Token: 33 1736 WMIC.exe Token: 34 1736 WMIC.exe Token: 35 1736 WMIC.exe Token: SeIncreaseQuotaPrivilege 1736 WMIC.exe Token: SeSecurityPrivilege 1736 WMIC.exe Token: SeTakeOwnershipPrivilege 1736 WMIC.exe Token: SeLoadDriverPrivilege 1736 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
uni2.execmd.execmd.exedescription pid process target process PID 1868 wrote to memory of 904 1868 uni2.exe wmic.exe PID 1868 wrote to memory of 904 1868 uni2.exe wmic.exe PID 1868 wrote to memory of 904 1868 uni2.exe wmic.exe PID 1868 wrote to memory of 1732 1868 uni2.exe cmd.exe PID 1868 wrote to memory of 1732 1868 uni2.exe cmd.exe PID 1868 wrote to memory of 1732 1868 uni2.exe cmd.exe PID 1732 wrote to memory of 1736 1732 cmd.exe WMIC.exe PID 1732 wrote to memory of 1736 1732 cmd.exe WMIC.exe PID 1732 wrote to memory of 1736 1732 cmd.exe WMIC.exe PID 1868 wrote to memory of 1184 1868 uni2.exe cmd.exe PID 1868 wrote to memory of 1184 1868 uni2.exe cmd.exe PID 1868 wrote to memory of 1184 1868 uni2.exe cmd.exe PID 1184 wrote to memory of 2044 1184 cmd.exe WMIC.exe PID 1184 wrote to memory of 2044 1184 cmd.exe WMIC.exe PID 1184 wrote to memory of 2044 1184 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\uni2.exe"C:\Users\Admin\AppData\Local\Temp\uni2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD5dfeffc3924409d9c9d3c8cae05be922b
SHA1a89046cbf54c00e17ff0a5f3e1a8f01eb399bce4
SHA25606ea3ad1c1c1067bfdfaa5ad8a91632fac6cad9776ded85fa65d3b6181d89be6
SHA512d9614ecf528a2bf48cafe99a4c54d5c9f3656d628001fbf575d367d5ad8008cf30a58a7b3d9489d8534064442df89a7263df4a91d0863dcd6cc33574c576da33