Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19-03-2023 13:11
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
7.5MB
-
MD5
1431d295525534f244dd34a8a311b87f
-
SHA1
2d0d2190ed780bf8dfed135bd1d12cae53860ebe
-
SHA256
60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e
-
SHA512
dd7085d43c12c1c7d59be73e66e5797966f7310fdd40ff2979fc770fa6fb5164484661fdfa7b73f8fc7a2dac32a452683f021e56fa4b1135bbbb9d140794ee02
-
SSDEEP
24576:2H5qGTyaJEUcmADwRqPACrUJJiILBCR5LpWKMuy1rnwNnNQx/PEEDnpfuZWI9pIx:4qGTyMEQADwwACagk+lKo83Vz1
Malware Config
Extracted
aurora
45.15.156.172:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1376 set thread context of 1656 1376 tmp.exe tmp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 856 wmic.exe Token: SeSecurityPrivilege 856 wmic.exe Token: SeTakeOwnershipPrivilege 856 wmic.exe Token: SeLoadDriverPrivilege 856 wmic.exe Token: SeSystemProfilePrivilege 856 wmic.exe Token: SeSystemtimePrivilege 856 wmic.exe Token: SeProfSingleProcessPrivilege 856 wmic.exe Token: SeIncBasePriorityPrivilege 856 wmic.exe Token: SeCreatePagefilePrivilege 856 wmic.exe Token: SeBackupPrivilege 856 wmic.exe Token: SeRestorePrivilege 856 wmic.exe Token: SeShutdownPrivilege 856 wmic.exe Token: SeDebugPrivilege 856 wmic.exe Token: SeSystemEnvironmentPrivilege 856 wmic.exe Token: SeRemoteShutdownPrivilege 856 wmic.exe Token: SeUndockPrivilege 856 wmic.exe Token: SeManageVolumePrivilege 856 wmic.exe Token: 33 856 wmic.exe Token: 34 856 wmic.exe Token: 35 856 wmic.exe Token: SeIncreaseQuotaPrivilege 856 wmic.exe Token: SeSecurityPrivilege 856 wmic.exe Token: SeTakeOwnershipPrivilege 856 wmic.exe Token: SeLoadDriverPrivilege 856 wmic.exe Token: SeSystemProfilePrivilege 856 wmic.exe Token: SeSystemtimePrivilege 856 wmic.exe Token: SeProfSingleProcessPrivilege 856 wmic.exe Token: SeIncBasePriorityPrivilege 856 wmic.exe Token: SeCreatePagefilePrivilege 856 wmic.exe Token: SeBackupPrivilege 856 wmic.exe Token: SeRestorePrivilege 856 wmic.exe Token: SeShutdownPrivilege 856 wmic.exe Token: SeDebugPrivilege 856 wmic.exe Token: SeSystemEnvironmentPrivilege 856 wmic.exe Token: SeRemoteShutdownPrivilege 856 wmic.exe Token: SeUndockPrivilege 856 wmic.exe Token: SeManageVolumePrivilege 856 wmic.exe Token: 33 856 wmic.exe Token: 34 856 wmic.exe Token: 35 856 wmic.exe Token: SeIncreaseQuotaPrivilege 1732 WMIC.exe Token: SeSecurityPrivilege 1732 WMIC.exe Token: SeTakeOwnershipPrivilege 1732 WMIC.exe Token: SeLoadDriverPrivilege 1732 WMIC.exe Token: SeSystemProfilePrivilege 1732 WMIC.exe Token: SeSystemtimePrivilege 1732 WMIC.exe Token: SeProfSingleProcessPrivilege 1732 WMIC.exe Token: SeIncBasePriorityPrivilege 1732 WMIC.exe Token: SeCreatePagefilePrivilege 1732 WMIC.exe Token: SeBackupPrivilege 1732 WMIC.exe Token: SeRestorePrivilege 1732 WMIC.exe Token: SeShutdownPrivilege 1732 WMIC.exe Token: SeDebugPrivilege 1732 WMIC.exe Token: SeSystemEnvironmentPrivilege 1732 WMIC.exe Token: SeRemoteShutdownPrivilege 1732 WMIC.exe Token: SeUndockPrivilege 1732 WMIC.exe Token: SeManageVolumePrivilege 1732 WMIC.exe Token: 33 1732 WMIC.exe Token: 34 1732 WMIC.exe Token: 35 1732 WMIC.exe Token: SeIncreaseQuotaPrivilege 1732 WMIC.exe Token: SeSecurityPrivilege 1732 WMIC.exe Token: SeTakeOwnershipPrivilege 1732 WMIC.exe Token: SeLoadDriverPrivilege 1732 WMIC.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
tmp.exetmp.execmd.execmd.exedescription pid process target process PID 1376 wrote to memory of 1656 1376 tmp.exe tmp.exe PID 1376 wrote to memory of 1656 1376 tmp.exe tmp.exe PID 1376 wrote to memory of 1656 1376 tmp.exe tmp.exe PID 1376 wrote to memory of 1656 1376 tmp.exe tmp.exe PID 1376 wrote to memory of 1656 1376 tmp.exe tmp.exe PID 1376 wrote to memory of 1656 1376 tmp.exe tmp.exe PID 1376 wrote to memory of 1656 1376 tmp.exe tmp.exe PID 1376 wrote to memory of 1656 1376 tmp.exe tmp.exe PID 1376 wrote to memory of 1656 1376 tmp.exe tmp.exe PID 1376 wrote to memory of 1656 1376 tmp.exe tmp.exe PID 1376 wrote to memory of 1656 1376 tmp.exe tmp.exe PID 1656 wrote to memory of 856 1656 tmp.exe wmic.exe PID 1656 wrote to memory of 856 1656 tmp.exe wmic.exe PID 1656 wrote to memory of 856 1656 tmp.exe wmic.exe PID 1656 wrote to memory of 1796 1656 tmp.exe cmd.exe PID 1656 wrote to memory of 1796 1656 tmp.exe cmd.exe PID 1656 wrote to memory of 1796 1656 tmp.exe cmd.exe PID 1796 wrote to memory of 1732 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1732 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1732 1796 cmd.exe WMIC.exe PID 1656 wrote to memory of 1176 1656 tmp.exe cmd.exe PID 1656 wrote to memory of 1176 1656 tmp.exe cmd.exe PID 1656 wrote to memory of 1176 1656 tmp.exe cmd.exe PID 1176 wrote to memory of 1684 1176 cmd.exe WMIC.exe PID 1176 wrote to memory of 1684 1176 cmd.exe WMIC.exe PID 1176 wrote to memory of 1684 1176 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵PID:1684
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5e5e23f78017d1e6eddfc8480e1679ee4
SHA10667bd1b7129b105bd2c66ef6ad54c9648aec072
SHA2564fed2f4c33a3876390d8520f184062927aca8e0ce3538127de3a2f66ea856d91
SHA512b1260e7ba7ad6d5dd0daeabc5f7cc1fc7a2e9259092f8d70d3d9eed923ed8aa60adcce4c27e9cb20966d500ed59edaaba9570f01d6a84180f1fb83e7b5c20049