Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2023 13:17
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
7.5MB
-
MD5
1431d295525534f244dd34a8a311b87f
-
SHA1
2d0d2190ed780bf8dfed135bd1d12cae53860ebe
-
SHA256
60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e
-
SHA512
dd7085d43c12c1c7d59be73e66e5797966f7310fdd40ff2979fc770fa6fb5164484661fdfa7b73f8fc7a2dac32a452683f021e56fa4b1135bbbb9d140794ee02
-
SSDEEP
24576:2H5qGTyaJEUcmADwRqPACrUJJiILBCR5LpWKMuy1rnwNnNQx/PEEDnpfuZWI9pIx:4qGTyMEQADwwACagk+lKo83Vz1
Malware Config
Extracted
aurora
45.15.156.172:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 2156 set thread context of 2184 2156 tmp.exe tmp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4136 wmic.exe Token: SeSecurityPrivilege 4136 wmic.exe Token: SeTakeOwnershipPrivilege 4136 wmic.exe Token: SeLoadDriverPrivilege 4136 wmic.exe Token: SeSystemProfilePrivilege 4136 wmic.exe Token: SeSystemtimePrivilege 4136 wmic.exe Token: SeProfSingleProcessPrivilege 4136 wmic.exe Token: SeIncBasePriorityPrivilege 4136 wmic.exe Token: SeCreatePagefilePrivilege 4136 wmic.exe Token: SeBackupPrivilege 4136 wmic.exe Token: SeRestorePrivilege 4136 wmic.exe Token: SeShutdownPrivilege 4136 wmic.exe Token: SeDebugPrivilege 4136 wmic.exe Token: SeSystemEnvironmentPrivilege 4136 wmic.exe Token: SeRemoteShutdownPrivilege 4136 wmic.exe Token: SeUndockPrivilege 4136 wmic.exe Token: SeManageVolumePrivilege 4136 wmic.exe Token: 33 4136 wmic.exe Token: 34 4136 wmic.exe Token: 35 4136 wmic.exe Token: 36 4136 wmic.exe Token: SeIncreaseQuotaPrivilege 4136 wmic.exe Token: SeSecurityPrivilege 4136 wmic.exe Token: SeTakeOwnershipPrivilege 4136 wmic.exe Token: SeLoadDriverPrivilege 4136 wmic.exe Token: SeSystemProfilePrivilege 4136 wmic.exe Token: SeSystemtimePrivilege 4136 wmic.exe Token: SeProfSingleProcessPrivilege 4136 wmic.exe Token: SeIncBasePriorityPrivilege 4136 wmic.exe Token: SeCreatePagefilePrivilege 4136 wmic.exe Token: SeBackupPrivilege 4136 wmic.exe Token: SeRestorePrivilege 4136 wmic.exe Token: SeShutdownPrivilege 4136 wmic.exe Token: SeDebugPrivilege 4136 wmic.exe Token: SeSystemEnvironmentPrivilege 4136 wmic.exe Token: SeRemoteShutdownPrivilege 4136 wmic.exe Token: SeUndockPrivilege 4136 wmic.exe Token: SeManageVolumePrivilege 4136 wmic.exe Token: 33 4136 wmic.exe Token: 34 4136 wmic.exe Token: 35 4136 wmic.exe Token: 36 4136 wmic.exe Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe Token: SeSecurityPrivilege 2964 WMIC.exe Token: SeTakeOwnershipPrivilege 2964 WMIC.exe Token: SeLoadDriverPrivilege 2964 WMIC.exe Token: SeSystemProfilePrivilege 2964 WMIC.exe Token: SeSystemtimePrivilege 2964 WMIC.exe Token: SeProfSingleProcessPrivilege 2964 WMIC.exe Token: SeIncBasePriorityPrivilege 2964 WMIC.exe Token: SeCreatePagefilePrivilege 2964 WMIC.exe Token: SeBackupPrivilege 2964 WMIC.exe Token: SeRestorePrivilege 2964 WMIC.exe Token: SeShutdownPrivilege 2964 WMIC.exe Token: SeDebugPrivilege 2964 WMIC.exe Token: SeSystemEnvironmentPrivilege 2964 WMIC.exe Token: SeRemoteShutdownPrivilege 2964 WMIC.exe Token: SeUndockPrivilege 2964 WMIC.exe Token: SeManageVolumePrivilege 2964 WMIC.exe Token: 33 2964 WMIC.exe Token: 34 2964 WMIC.exe Token: 35 2964 WMIC.exe Token: 36 2964 WMIC.exe Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
tmp.exetmp.execmd.execmd.exedescription pid process target process PID 2156 wrote to memory of 2184 2156 tmp.exe tmp.exe PID 2156 wrote to memory of 2184 2156 tmp.exe tmp.exe PID 2156 wrote to memory of 2184 2156 tmp.exe tmp.exe PID 2156 wrote to memory of 2184 2156 tmp.exe tmp.exe PID 2156 wrote to memory of 2184 2156 tmp.exe tmp.exe PID 2156 wrote to memory of 2184 2156 tmp.exe tmp.exe PID 2156 wrote to memory of 2184 2156 tmp.exe tmp.exe PID 2156 wrote to memory of 2184 2156 tmp.exe tmp.exe PID 2156 wrote to memory of 2184 2156 tmp.exe tmp.exe PID 2156 wrote to memory of 2184 2156 tmp.exe tmp.exe PID 2184 wrote to memory of 4136 2184 tmp.exe wmic.exe PID 2184 wrote to memory of 4136 2184 tmp.exe wmic.exe PID 2184 wrote to memory of 3044 2184 tmp.exe cmd.exe PID 2184 wrote to memory of 3044 2184 tmp.exe cmd.exe PID 3044 wrote to memory of 2964 3044 cmd.exe WMIC.exe PID 3044 wrote to memory of 2964 3044 cmd.exe WMIC.exe PID 2184 wrote to memory of 4992 2184 tmp.exe cmd.exe PID 2184 wrote to memory of 4992 2184 tmp.exe cmd.exe PID 4992 wrote to memory of 1040 4992 cmd.exe WMIC.exe PID 4992 wrote to memory of 1040 4992 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD58c7576873886d730d55e52070f35fea0
SHA1cf8b732cb49dad4e69c8948a6f0b7b87b9b0ccf1
SHA25606b631bf6ea97d79ea2215efa0323aab64bd1b53283ef8640c2a8fd37cac9caa
SHA512374dff92bb31dfb74ec66084dcc8764e166f4adc7c57113d813b430e420b8bcc9e1300aae5f4b2ff09ad3d5b152a8240901ed3acfc76c4788d9ad3442cd2db28
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
72KB
MD55aeeafe26d1e0441647e0b0d7b880c81
SHA145a00f65a99d1cec35bd6a21891ac469a86f451c
SHA256c94d79620e27865ba796be4cbfd98087da8a47f78e07e7220084de05354381dd
SHA5123e70b065b194f14f1ec2735b6003943b492c29a78e12029ae42574cda7fdc785c24eae0c98fbd9a1167ac938387d78aead68688299e3aaf1971794938ab903c5
-
memory/2184-133-0x0000000000960000-0x0000000000CBC000-memory.dmpFilesize
3.4MB
-
memory/2184-138-0x0000000000960000-0x0000000000CBC000-memory.dmpFilesize
3.4MB
-
memory/2184-143-0x0000000000960000-0x0000000000CBC000-memory.dmpFilesize
3.4MB
-
memory/2184-144-0x0000000000960000-0x0000000000CBC000-memory.dmpFilesize
3.4MB
-
memory/2184-145-0x0000000000960000-0x0000000000CBC000-memory.dmpFilesize
3.4MB
-
memory/2184-146-0x0000000000960000-0x0000000000CBC000-memory.dmpFilesize
3.4MB
-
memory/2184-147-0x0000000000960000-0x0000000000CBC000-memory.dmpFilesize
3.4MB
-
memory/2184-148-0x0000000000960000-0x0000000000CBC000-memory.dmpFilesize
3.4MB
-
memory/2184-149-0x0000000000960000-0x0000000000CBC000-memory.dmpFilesize
3.4MB
-
memory/2184-204-0x0000000000960000-0x0000000000CBC000-memory.dmpFilesize
3.4MB