Analysis
-
max time kernel
109s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2023 16:19
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
General
-
Target
file.exe
-
Size
4.8MB
-
MD5
d442830fc92de9465d9bf425922173a5
-
SHA1
27eaed777470e6a9f855894b2af3c7baa1c812eb
-
SHA256
5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449
-
SHA512
1ce42ab9055bf0c15f8f4b90820c8d4c74f348dc1e1833d26f55f61b671cdafee24a0777ea60a3a5cf5b297c31380a79a1a7d0568c81886f2472d265f77c7146
-
SSDEEP
98304:9j3/I9FTuPXPlGUi317EPTiu0ENWS5ywGDZHU:9/MF4l5GgUEMSrwU
Malware Config
Extracted
aurora
138.201.198.8:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2016 set thread context of 5092 2016 file.exe file.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4440 wmic.exe Token: SeSecurityPrivilege 4440 wmic.exe Token: SeTakeOwnershipPrivilege 4440 wmic.exe Token: SeLoadDriverPrivilege 4440 wmic.exe Token: SeSystemProfilePrivilege 4440 wmic.exe Token: SeSystemtimePrivilege 4440 wmic.exe Token: SeProfSingleProcessPrivilege 4440 wmic.exe Token: SeIncBasePriorityPrivilege 4440 wmic.exe Token: SeCreatePagefilePrivilege 4440 wmic.exe Token: SeBackupPrivilege 4440 wmic.exe Token: SeRestorePrivilege 4440 wmic.exe Token: SeShutdownPrivilege 4440 wmic.exe Token: SeDebugPrivilege 4440 wmic.exe Token: SeSystemEnvironmentPrivilege 4440 wmic.exe Token: SeRemoteShutdownPrivilege 4440 wmic.exe Token: SeUndockPrivilege 4440 wmic.exe Token: SeManageVolumePrivilege 4440 wmic.exe Token: 33 4440 wmic.exe Token: 34 4440 wmic.exe Token: 35 4440 wmic.exe Token: 36 4440 wmic.exe Token: SeIncreaseQuotaPrivilege 4440 wmic.exe Token: SeSecurityPrivilege 4440 wmic.exe Token: SeTakeOwnershipPrivilege 4440 wmic.exe Token: SeLoadDriverPrivilege 4440 wmic.exe Token: SeSystemProfilePrivilege 4440 wmic.exe Token: SeSystemtimePrivilege 4440 wmic.exe Token: SeProfSingleProcessPrivilege 4440 wmic.exe Token: SeIncBasePriorityPrivilege 4440 wmic.exe Token: SeCreatePagefilePrivilege 4440 wmic.exe Token: SeBackupPrivilege 4440 wmic.exe Token: SeRestorePrivilege 4440 wmic.exe Token: SeShutdownPrivilege 4440 wmic.exe Token: SeDebugPrivilege 4440 wmic.exe Token: SeSystemEnvironmentPrivilege 4440 wmic.exe Token: SeRemoteShutdownPrivilege 4440 wmic.exe Token: SeUndockPrivilege 4440 wmic.exe Token: SeManageVolumePrivilege 4440 wmic.exe Token: 33 4440 wmic.exe Token: 34 4440 wmic.exe Token: 35 4440 wmic.exe Token: 36 4440 wmic.exe Token: SeIncreaseQuotaPrivilege 2148 WMIC.exe Token: SeSecurityPrivilege 2148 WMIC.exe Token: SeTakeOwnershipPrivilege 2148 WMIC.exe Token: SeLoadDriverPrivilege 2148 WMIC.exe Token: SeSystemProfilePrivilege 2148 WMIC.exe Token: SeSystemtimePrivilege 2148 WMIC.exe Token: SeProfSingleProcessPrivilege 2148 WMIC.exe Token: SeIncBasePriorityPrivilege 2148 WMIC.exe Token: SeCreatePagefilePrivilege 2148 WMIC.exe Token: SeBackupPrivilege 2148 WMIC.exe Token: SeRestorePrivilege 2148 WMIC.exe Token: SeShutdownPrivilege 2148 WMIC.exe Token: SeDebugPrivilege 2148 WMIC.exe Token: SeSystemEnvironmentPrivilege 2148 WMIC.exe Token: SeRemoteShutdownPrivilege 2148 WMIC.exe Token: SeUndockPrivilege 2148 WMIC.exe Token: SeManageVolumePrivilege 2148 WMIC.exe Token: 33 2148 WMIC.exe Token: 34 2148 WMIC.exe Token: 35 2148 WMIC.exe Token: 36 2148 WMIC.exe Token: SeIncreaseQuotaPrivilege 2148 WMIC.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
file.exefile.execmd.execmd.exedescription pid process target process PID 2016 wrote to memory of 5092 2016 file.exe file.exe PID 2016 wrote to memory of 5092 2016 file.exe file.exe PID 2016 wrote to memory of 5092 2016 file.exe file.exe PID 2016 wrote to memory of 5092 2016 file.exe file.exe PID 2016 wrote to memory of 5092 2016 file.exe file.exe PID 2016 wrote to memory of 5092 2016 file.exe file.exe PID 2016 wrote to memory of 5092 2016 file.exe file.exe PID 2016 wrote to memory of 5092 2016 file.exe file.exe PID 2016 wrote to memory of 5092 2016 file.exe file.exe PID 2016 wrote to memory of 5092 2016 file.exe file.exe PID 2016 wrote to memory of 5092 2016 file.exe file.exe PID 5092 wrote to memory of 4440 5092 file.exe wmic.exe PID 5092 wrote to memory of 4440 5092 file.exe wmic.exe PID 5092 wrote to memory of 4440 5092 file.exe wmic.exe PID 5092 wrote to memory of 3968 5092 file.exe cmd.exe PID 5092 wrote to memory of 3968 5092 file.exe cmd.exe PID 5092 wrote to memory of 3968 5092 file.exe cmd.exe PID 3968 wrote to memory of 2148 3968 cmd.exe WMIC.exe PID 3968 wrote to memory of 2148 3968 cmd.exe WMIC.exe PID 3968 wrote to memory of 2148 3968 cmd.exe WMIC.exe PID 5092 wrote to memory of 4360 5092 file.exe cmd.exe PID 5092 wrote to memory of 4360 5092 file.exe cmd.exe PID 5092 wrote to memory of 4360 5092 file.exe cmd.exe PID 4360 wrote to memory of 3652 4360 cmd.exe WMIC.exe PID 4360 wrote to memory of 3652 4360 cmd.exe WMIC.exe PID 4360 wrote to memory of 3652 4360 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD5dce9b749d38fdc247ab517e8a76e6102
SHA1d6c5b6548e1a3da3326bd097c50c49fc7906be3f
SHA2565087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7
SHA51256c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD592d24961d2ebaacf1ace5463dfc9930d
SHA199ffaf6904ab616c33a37ce01d383e4a493df335
SHA2569013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3
SHA51277598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7
-
memory/2016-134-0x0000000005040000-0x00000000050DC000-memory.dmpFilesize
624KB
-
memory/2016-135-0x0000000005690000-0x0000000005C34000-memory.dmpFilesize
5.6MB
-
memory/2016-136-0x00000000050E0000-0x0000000005172000-memory.dmpFilesize
584KB
-
memory/2016-137-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2016-138-0x0000000004FF0000-0x0000000004FFA000-memory.dmpFilesize
40KB
-
memory/2016-139-0x00000000052D0000-0x0000000005326000-memory.dmpFilesize
344KB
-
memory/2016-133-0x0000000000150000-0x000000000061E000-memory.dmpFilesize
4.8MB
-
memory/5092-143-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB
-
memory/5092-145-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB
-
memory/5092-146-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB
-
memory/5092-148-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB
-
memory/5092-149-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB
-
memory/5092-150-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB
-
memory/5092-144-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB
-
memory/5092-140-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB
-
memory/5092-203-0x0000000000400000-0x0000000000731000-memory.dmpFilesize
3.2MB