Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16-03-2023 17:03
Behavioral task
behavioral1
Sample
0x000600000002316e-145.exe
Resource
win7-20230220-en
General
-
Target
0x000600000002316e-145.exe
-
Size
3.0MB
-
MD5
a22f4f4fd882dc77ae4adcf180d34f1a
-
SHA1
b630ffa68e2fe05f60dec473368354e8c07a53c5
-
SHA256
a7e18f8334187302d07b411518c03f7b472b7ba17751e6f5d239541105aedd36
-
SHA512
1f1e5cb83dc8b95630702faea3107ffd6929dcbad1b30b5b7d77d5b7284d883a60fac0d802e7b9b624b45ee0362af08d5d8426b5d010e0f71cc1bd01c46a329e
-
SSDEEP
49152:KGX3o2lDES/ed3+XMxfE36PalsLFA8ppBnVIk1o:goELE+LO8pTA
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 928 wmic.exe Token: SeSecurityPrivilege 928 wmic.exe Token: SeTakeOwnershipPrivilege 928 wmic.exe Token: SeLoadDriverPrivilege 928 wmic.exe Token: SeSystemProfilePrivilege 928 wmic.exe Token: SeSystemtimePrivilege 928 wmic.exe Token: SeProfSingleProcessPrivilege 928 wmic.exe Token: SeIncBasePriorityPrivilege 928 wmic.exe Token: SeCreatePagefilePrivilege 928 wmic.exe Token: SeBackupPrivilege 928 wmic.exe Token: SeRestorePrivilege 928 wmic.exe Token: SeShutdownPrivilege 928 wmic.exe Token: SeDebugPrivilege 928 wmic.exe Token: SeSystemEnvironmentPrivilege 928 wmic.exe Token: SeRemoteShutdownPrivilege 928 wmic.exe Token: SeUndockPrivilege 928 wmic.exe Token: SeManageVolumePrivilege 928 wmic.exe Token: 33 928 wmic.exe Token: 34 928 wmic.exe Token: 35 928 wmic.exe Token: SeIncreaseQuotaPrivilege 928 wmic.exe Token: SeSecurityPrivilege 928 wmic.exe Token: SeTakeOwnershipPrivilege 928 wmic.exe Token: SeLoadDriverPrivilege 928 wmic.exe Token: SeSystemProfilePrivilege 928 wmic.exe Token: SeSystemtimePrivilege 928 wmic.exe Token: SeProfSingleProcessPrivilege 928 wmic.exe Token: SeIncBasePriorityPrivilege 928 wmic.exe Token: SeCreatePagefilePrivilege 928 wmic.exe Token: SeBackupPrivilege 928 wmic.exe Token: SeRestorePrivilege 928 wmic.exe Token: SeShutdownPrivilege 928 wmic.exe Token: SeDebugPrivilege 928 wmic.exe Token: SeSystemEnvironmentPrivilege 928 wmic.exe Token: SeRemoteShutdownPrivilege 928 wmic.exe Token: SeUndockPrivilege 928 wmic.exe Token: SeManageVolumePrivilege 928 wmic.exe Token: 33 928 wmic.exe Token: 34 928 wmic.exe Token: 35 928 wmic.exe Token: SeIncreaseQuotaPrivilege 1196 WMIC.exe Token: SeSecurityPrivilege 1196 WMIC.exe Token: SeTakeOwnershipPrivilege 1196 WMIC.exe Token: SeLoadDriverPrivilege 1196 WMIC.exe Token: SeSystemProfilePrivilege 1196 WMIC.exe Token: SeSystemtimePrivilege 1196 WMIC.exe Token: SeProfSingleProcessPrivilege 1196 WMIC.exe Token: SeIncBasePriorityPrivilege 1196 WMIC.exe Token: SeCreatePagefilePrivilege 1196 WMIC.exe Token: SeBackupPrivilege 1196 WMIC.exe Token: SeRestorePrivilege 1196 WMIC.exe Token: SeShutdownPrivilege 1196 WMIC.exe Token: SeDebugPrivilege 1196 WMIC.exe Token: SeSystemEnvironmentPrivilege 1196 WMIC.exe Token: SeRemoteShutdownPrivilege 1196 WMIC.exe Token: SeUndockPrivilege 1196 WMIC.exe Token: SeManageVolumePrivilege 1196 WMIC.exe Token: 33 1196 WMIC.exe Token: 34 1196 WMIC.exe Token: 35 1196 WMIC.exe Token: SeIncreaseQuotaPrivilege 1196 WMIC.exe Token: SeSecurityPrivilege 1196 WMIC.exe Token: SeTakeOwnershipPrivilege 1196 WMIC.exe Token: SeLoadDriverPrivilege 1196 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
0x000600000002316e-145.execmd.execmd.exedescription pid process target process PID 932 wrote to memory of 928 932 0x000600000002316e-145.exe wmic.exe PID 932 wrote to memory of 928 932 0x000600000002316e-145.exe wmic.exe PID 932 wrote to memory of 928 932 0x000600000002316e-145.exe wmic.exe PID 932 wrote to memory of 1468 932 0x000600000002316e-145.exe cmd.exe PID 932 wrote to memory of 1468 932 0x000600000002316e-145.exe cmd.exe PID 932 wrote to memory of 1468 932 0x000600000002316e-145.exe cmd.exe PID 1468 wrote to memory of 1196 1468 cmd.exe WMIC.exe PID 1468 wrote to memory of 1196 1468 cmd.exe WMIC.exe PID 1468 wrote to memory of 1196 1468 cmd.exe WMIC.exe PID 932 wrote to memory of 1904 932 0x000600000002316e-145.exe cmd.exe PID 932 wrote to memory of 1904 932 0x000600000002316e-145.exe cmd.exe PID 932 wrote to memory of 1904 932 0x000600000002316e-145.exe cmd.exe PID 1904 wrote to memory of 1444 1904 cmd.exe WMIC.exe PID 1904 wrote to memory of 1444 1904 cmd.exe WMIC.exe PID 1904 wrote to memory of 1444 1904 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000600000002316e-145.exe"C:\Users\Admin\AppData\Local\Temp\0x000600000002316e-145.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD56a3c2fe239e67cd5804a699b9aa54b07
SHA1018091f0c903173dec18cd10e0e00889f0717d67
SHA256160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168
SHA512aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37