Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-03-2023 13:17
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
7.5MB
-
MD5
1431d295525534f244dd34a8a311b87f
-
SHA1
2d0d2190ed780bf8dfed135bd1d12cae53860ebe
-
SHA256
60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e
-
SHA512
dd7085d43c12c1c7d59be73e66e5797966f7310fdd40ff2979fc770fa6fb5164484661fdfa7b73f8fc7a2dac32a452683f021e56fa4b1135bbbb9d140794ee02
-
SSDEEP
24576:2H5qGTyaJEUcmADwRqPACrUJJiILBCR5LpWKMuy1rnwNnNQx/PEEDnpfuZWI9pIx:4qGTyMEQADwwACagk+lKo83Vz1
Malware Config
Extracted
aurora
45.15.156.172:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1252 set thread context of 2040 1252 tmp.exe tmp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 736 wmic.exe Token: SeSecurityPrivilege 736 wmic.exe Token: SeTakeOwnershipPrivilege 736 wmic.exe Token: SeLoadDriverPrivilege 736 wmic.exe Token: SeSystemProfilePrivilege 736 wmic.exe Token: SeSystemtimePrivilege 736 wmic.exe Token: SeProfSingleProcessPrivilege 736 wmic.exe Token: SeIncBasePriorityPrivilege 736 wmic.exe Token: SeCreatePagefilePrivilege 736 wmic.exe Token: SeBackupPrivilege 736 wmic.exe Token: SeRestorePrivilege 736 wmic.exe Token: SeShutdownPrivilege 736 wmic.exe Token: SeDebugPrivilege 736 wmic.exe Token: SeSystemEnvironmentPrivilege 736 wmic.exe Token: SeRemoteShutdownPrivilege 736 wmic.exe Token: SeUndockPrivilege 736 wmic.exe Token: SeManageVolumePrivilege 736 wmic.exe Token: 33 736 wmic.exe Token: 34 736 wmic.exe Token: 35 736 wmic.exe Token: SeIncreaseQuotaPrivilege 736 wmic.exe Token: SeSecurityPrivilege 736 wmic.exe Token: SeTakeOwnershipPrivilege 736 wmic.exe Token: SeLoadDriverPrivilege 736 wmic.exe Token: SeSystemProfilePrivilege 736 wmic.exe Token: SeSystemtimePrivilege 736 wmic.exe Token: SeProfSingleProcessPrivilege 736 wmic.exe Token: SeIncBasePriorityPrivilege 736 wmic.exe Token: SeCreatePagefilePrivilege 736 wmic.exe Token: SeBackupPrivilege 736 wmic.exe Token: SeRestorePrivilege 736 wmic.exe Token: SeShutdownPrivilege 736 wmic.exe Token: SeDebugPrivilege 736 wmic.exe Token: SeSystemEnvironmentPrivilege 736 wmic.exe Token: SeRemoteShutdownPrivilege 736 wmic.exe Token: SeUndockPrivilege 736 wmic.exe Token: SeManageVolumePrivilege 736 wmic.exe Token: 33 736 wmic.exe Token: 34 736 wmic.exe Token: 35 736 wmic.exe Token: SeIncreaseQuotaPrivilege 1784 WMIC.exe Token: SeSecurityPrivilege 1784 WMIC.exe Token: SeTakeOwnershipPrivilege 1784 WMIC.exe Token: SeLoadDriverPrivilege 1784 WMIC.exe Token: SeSystemProfilePrivilege 1784 WMIC.exe Token: SeSystemtimePrivilege 1784 WMIC.exe Token: SeProfSingleProcessPrivilege 1784 WMIC.exe Token: SeIncBasePriorityPrivilege 1784 WMIC.exe Token: SeCreatePagefilePrivilege 1784 WMIC.exe Token: SeBackupPrivilege 1784 WMIC.exe Token: SeRestorePrivilege 1784 WMIC.exe Token: SeShutdownPrivilege 1784 WMIC.exe Token: SeDebugPrivilege 1784 WMIC.exe Token: SeSystemEnvironmentPrivilege 1784 WMIC.exe Token: SeRemoteShutdownPrivilege 1784 WMIC.exe Token: SeUndockPrivilege 1784 WMIC.exe Token: SeManageVolumePrivilege 1784 WMIC.exe Token: 33 1784 WMIC.exe Token: 34 1784 WMIC.exe Token: 35 1784 WMIC.exe Token: SeIncreaseQuotaPrivilege 1784 WMIC.exe Token: SeSecurityPrivilege 1784 WMIC.exe Token: SeTakeOwnershipPrivilege 1784 WMIC.exe Token: SeLoadDriverPrivilege 1784 WMIC.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
tmp.exetmp.execmd.execmd.exedescription pid process target process PID 1252 wrote to memory of 2040 1252 tmp.exe tmp.exe PID 1252 wrote to memory of 2040 1252 tmp.exe tmp.exe PID 1252 wrote to memory of 2040 1252 tmp.exe tmp.exe PID 1252 wrote to memory of 2040 1252 tmp.exe tmp.exe PID 1252 wrote to memory of 2040 1252 tmp.exe tmp.exe PID 1252 wrote to memory of 2040 1252 tmp.exe tmp.exe PID 1252 wrote to memory of 2040 1252 tmp.exe tmp.exe PID 1252 wrote to memory of 2040 1252 tmp.exe tmp.exe PID 1252 wrote to memory of 2040 1252 tmp.exe tmp.exe PID 1252 wrote to memory of 2040 1252 tmp.exe tmp.exe PID 1252 wrote to memory of 2040 1252 tmp.exe tmp.exe PID 2040 wrote to memory of 736 2040 tmp.exe wmic.exe PID 2040 wrote to memory of 736 2040 tmp.exe wmic.exe PID 2040 wrote to memory of 736 2040 tmp.exe wmic.exe PID 2040 wrote to memory of 1796 2040 tmp.exe cmd.exe PID 2040 wrote to memory of 1796 2040 tmp.exe cmd.exe PID 2040 wrote to memory of 1796 2040 tmp.exe cmd.exe PID 1796 wrote to memory of 1784 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1784 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1784 1796 cmd.exe WMIC.exe PID 2040 wrote to memory of 1444 2040 tmp.exe cmd.exe PID 2040 wrote to memory of 1444 2040 tmp.exe cmd.exe PID 2040 wrote to memory of 1444 2040 tmp.exe cmd.exe PID 1444 wrote to memory of 660 1444 cmd.exe WMIC.exe PID 1444 wrote to memory of 660 1444 cmd.exe WMIC.exe PID 1444 wrote to memory of 660 1444 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD52beb695add0546f6a18496aae58b2558
SHA11fd818202a94825c56ad7a7793bea87c6f02960e
SHA256132cb7037ada7d8563c5b8cf64796ed22b0fbc1ccefbbbf5faa3c18545b289ed
SHA512e80fa42ab27afa16e0f6f72639077be7da3e73f7c7b4cecbe0d24637ee76334de77a2b61e7c3afab4e3750e53a93baa68d3cdb9c1eb55fb9a5d580cff94f21f2
-
memory/2040-62-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-59-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-64-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-58-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-65-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-60-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-61-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmpFilesize
4KB
-
memory/2040-66-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-57-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-56-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-54-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-67-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-68-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-69-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-70-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-55-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2040-104-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB