Analysis
-
max time kernel
53s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15-03-2023 05:05
Behavioral task
behavioral1
Sample
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
Resource
win7-20230220-en
General
-
Target
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
-
Size
3.0MB
-
MD5
a8a106555b9e1f92569d623c66ee8c12
-
SHA1
a5080c26b5f5911c10d80654c84239a226fc75d1
-
SHA256
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
-
SHA512
9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
SSDEEP
49152:3WjN903V68U3f1uXAlL/EUSiITRf+EGg7dyvUCUDaB5+Tc6k1HFm:3IrIVbUYiLs4vUCU5T0w
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 268 wmic.exe Token: SeSecurityPrivilege 268 wmic.exe Token: SeTakeOwnershipPrivilege 268 wmic.exe Token: SeLoadDriverPrivilege 268 wmic.exe Token: SeSystemProfilePrivilege 268 wmic.exe Token: SeSystemtimePrivilege 268 wmic.exe Token: SeProfSingleProcessPrivilege 268 wmic.exe Token: SeIncBasePriorityPrivilege 268 wmic.exe Token: SeCreatePagefilePrivilege 268 wmic.exe Token: SeBackupPrivilege 268 wmic.exe Token: SeRestorePrivilege 268 wmic.exe Token: SeShutdownPrivilege 268 wmic.exe Token: SeDebugPrivilege 268 wmic.exe Token: SeSystemEnvironmentPrivilege 268 wmic.exe Token: SeRemoteShutdownPrivilege 268 wmic.exe Token: SeUndockPrivilege 268 wmic.exe Token: SeManageVolumePrivilege 268 wmic.exe Token: 33 268 wmic.exe Token: 34 268 wmic.exe Token: 35 268 wmic.exe Token: SeIncreaseQuotaPrivilege 268 wmic.exe Token: SeSecurityPrivilege 268 wmic.exe Token: SeTakeOwnershipPrivilege 268 wmic.exe Token: SeLoadDriverPrivilege 268 wmic.exe Token: SeSystemProfilePrivilege 268 wmic.exe Token: SeSystemtimePrivilege 268 wmic.exe Token: SeProfSingleProcessPrivilege 268 wmic.exe Token: SeIncBasePriorityPrivilege 268 wmic.exe Token: SeCreatePagefilePrivilege 268 wmic.exe Token: SeBackupPrivilege 268 wmic.exe Token: SeRestorePrivilege 268 wmic.exe Token: SeShutdownPrivilege 268 wmic.exe Token: SeDebugPrivilege 268 wmic.exe Token: SeSystemEnvironmentPrivilege 268 wmic.exe Token: SeRemoteShutdownPrivilege 268 wmic.exe Token: SeUndockPrivilege 268 wmic.exe Token: SeManageVolumePrivilege 268 wmic.exe Token: 33 268 wmic.exe Token: 34 268 wmic.exe Token: 35 268 wmic.exe Token: SeIncreaseQuotaPrivilege 1164 WMIC.exe Token: SeSecurityPrivilege 1164 WMIC.exe Token: SeTakeOwnershipPrivilege 1164 WMIC.exe Token: SeLoadDriverPrivilege 1164 WMIC.exe Token: SeSystemProfilePrivilege 1164 WMIC.exe Token: SeSystemtimePrivilege 1164 WMIC.exe Token: SeProfSingleProcessPrivilege 1164 WMIC.exe Token: SeIncBasePriorityPrivilege 1164 WMIC.exe Token: SeCreatePagefilePrivilege 1164 WMIC.exe Token: SeBackupPrivilege 1164 WMIC.exe Token: SeRestorePrivilege 1164 WMIC.exe Token: SeShutdownPrivilege 1164 WMIC.exe Token: SeDebugPrivilege 1164 WMIC.exe Token: SeSystemEnvironmentPrivilege 1164 WMIC.exe Token: SeRemoteShutdownPrivilege 1164 WMIC.exe Token: SeUndockPrivilege 1164 WMIC.exe Token: SeManageVolumePrivilege 1164 WMIC.exe Token: 33 1164 WMIC.exe Token: 34 1164 WMIC.exe Token: 35 1164 WMIC.exe Token: SeIncreaseQuotaPrivilege 1164 WMIC.exe Token: SeSecurityPrivilege 1164 WMIC.exe Token: SeTakeOwnershipPrivilege 1164 WMIC.exe Token: SeLoadDriverPrivilege 1164 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.execmd.execmd.exedescription pid process target process PID 1996 wrote to memory of 268 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1996 wrote to memory of 268 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1996 wrote to memory of 268 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1996 wrote to memory of 268 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 1996 wrote to memory of 1216 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1996 wrote to memory of 1216 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1996 wrote to memory of 1216 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1996 wrote to memory of 1216 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1216 wrote to memory of 1164 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 1164 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 1164 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 1164 1216 cmd.exe WMIC.exe PID 1996 wrote to memory of 544 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1996 wrote to memory of 544 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1996 wrote to memory of 544 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 1996 wrote to memory of 544 1996 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 544 wrote to memory of 1684 544 cmd.exe WMIC.exe PID 544 wrote to memory of 1684 544 cmd.exe WMIC.exe PID 544 wrote to memory of 1684 544 cmd.exe WMIC.exe PID 544 wrote to memory of 1684 544 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD57634ebd082abbba35a8e6a300ec83c51
SHA1953666e70fbed932e4bed446f1d1e432781972b7
SHA256792aa1b2f647c981a8778a35717809ff0783bc4b6c022e6ed049c1029f6c584f
SHA5126f95e7c7c4548ad206294e5fc13f9ed0bad9476e5775ac4e06bd324c6e0a14382fcf5f604e5899084ee2f3733405716d60842f3393d5fa174902dbb055d40f3e