Analysis
-
max time kernel
100s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2023 13:11
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
7.5MB
-
MD5
1431d295525534f244dd34a8a311b87f
-
SHA1
2d0d2190ed780bf8dfed135bd1d12cae53860ebe
-
SHA256
60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e
-
SHA512
dd7085d43c12c1c7d59be73e66e5797966f7310fdd40ff2979fc770fa6fb5164484661fdfa7b73f8fc7a2dac32a452683f021e56fa4b1135bbbb9d140794ee02
-
SSDEEP
24576:2H5qGTyaJEUcmADwRqPACrUJJiILBCR5LpWKMuy1rnwNnNQx/PEEDnpfuZWI9pIx:4qGTyMEQADwwACagk+lKo83Vz1
Malware Config
Extracted
aurora
45.15.156.172:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 4148 set thread context of 484 4148 tmp.exe tmp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4784 wmic.exe Token: SeSecurityPrivilege 4784 wmic.exe Token: SeTakeOwnershipPrivilege 4784 wmic.exe Token: SeLoadDriverPrivilege 4784 wmic.exe Token: SeSystemProfilePrivilege 4784 wmic.exe Token: SeSystemtimePrivilege 4784 wmic.exe Token: SeProfSingleProcessPrivilege 4784 wmic.exe Token: SeIncBasePriorityPrivilege 4784 wmic.exe Token: SeCreatePagefilePrivilege 4784 wmic.exe Token: SeBackupPrivilege 4784 wmic.exe Token: SeRestorePrivilege 4784 wmic.exe Token: SeShutdownPrivilege 4784 wmic.exe Token: SeDebugPrivilege 4784 wmic.exe Token: SeSystemEnvironmentPrivilege 4784 wmic.exe Token: SeRemoteShutdownPrivilege 4784 wmic.exe Token: SeUndockPrivilege 4784 wmic.exe Token: SeManageVolumePrivilege 4784 wmic.exe Token: 33 4784 wmic.exe Token: 34 4784 wmic.exe Token: 35 4784 wmic.exe Token: 36 4784 wmic.exe Token: SeIncreaseQuotaPrivilege 4784 wmic.exe Token: SeSecurityPrivilege 4784 wmic.exe Token: SeTakeOwnershipPrivilege 4784 wmic.exe Token: SeLoadDriverPrivilege 4784 wmic.exe Token: SeSystemProfilePrivilege 4784 wmic.exe Token: SeSystemtimePrivilege 4784 wmic.exe Token: SeProfSingleProcessPrivilege 4784 wmic.exe Token: SeIncBasePriorityPrivilege 4784 wmic.exe Token: SeCreatePagefilePrivilege 4784 wmic.exe Token: SeBackupPrivilege 4784 wmic.exe Token: SeRestorePrivilege 4784 wmic.exe Token: SeShutdownPrivilege 4784 wmic.exe Token: SeDebugPrivilege 4784 wmic.exe Token: SeSystemEnvironmentPrivilege 4784 wmic.exe Token: SeRemoteShutdownPrivilege 4784 wmic.exe Token: SeUndockPrivilege 4784 wmic.exe Token: SeManageVolumePrivilege 4784 wmic.exe Token: 33 4784 wmic.exe Token: 34 4784 wmic.exe Token: 35 4784 wmic.exe Token: 36 4784 wmic.exe Token: SeIncreaseQuotaPrivilege 3972 WMIC.exe Token: SeSecurityPrivilege 3972 WMIC.exe Token: SeTakeOwnershipPrivilege 3972 WMIC.exe Token: SeLoadDriverPrivilege 3972 WMIC.exe Token: SeSystemProfilePrivilege 3972 WMIC.exe Token: SeSystemtimePrivilege 3972 WMIC.exe Token: SeProfSingleProcessPrivilege 3972 WMIC.exe Token: SeIncBasePriorityPrivilege 3972 WMIC.exe Token: SeCreatePagefilePrivilege 3972 WMIC.exe Token: SeBackupPrivilege 3972 WMIC.exe Token: SeRestorePrivilege 3972 WMIC.exe Token: SeShutdownPrivilege 3972 WMIC.exe Token: SeDebugPrivilege 3972 WMIC.exe Token: SeSystemEnvironmentPrivilege 3972 WMIC.exe Token: SeRemoteShutdownPrivilege 3972 WMIC.exe Token: SeUndockPrivilege 3972 WMIC.exe Token: SeManageVolumePrivilege 3972 WMIC.exe Token: 33 3972 WMIC.exe Token: 34 3972 WMIC.exe Token: 35 3972 WMIC.exe Token: 36 3972 WMIC.exe Token: SeIncreaseQuotaPrivilege 3972 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
tmp.exetmp.execmd.execmd.exedescription pid process target process PID 4148 wrote to memory of 484 4148 tmp.exe tmp.exe PID 4148 wrote to memory of 484 4148 tmp.exe tmp.exe PID 4148 wrote to memory of 484 4148 tmp.exe tmp.exe PID 4148 wrote to memory of 484 4148 tmp.exe tmp.exe PID 4148 wrote to memory of 484 4148 tmp.exe tmp.exe PID 4148 wrote to memory of 484 4148 tmp.exe tmp.exe PID 4148 wrote to memory of 484 4148 tmp.exe tmp.exe PID 4148 wrote to memory of 484 4148 tmp.exe tmp.exe PID 4148 wrote to memory of 484 4148 tmp.exe tmp.exe PID 4148 wrote to memory of 484 4148 tmp.exe tmp.exe PID 484 wrote to memory of 4784 484 tmp.exe wmic.exe PID 484 wrote to memory of 4784 484 tmp.exe wmic.exe PID 484 wrote to memory of 1648 484 tmp.exe cmd.exe PID 484 wrote to memory of 1648 484 tmp.exe cmd.exe PID 1648 wrote to memory of 3972 1648 cmd.exe WMIC.exe PID 1648 wrote to memory of 3972 1648 cmd.exe WMIC.exe PID 484 wrote to memory of 1876 484 tmp.exe cmd.exe PID 484 wrote to memory of 1876 484 tmp.exe cmd.exe PID 1876 wrote to memory of 1212 1876 cmd.exe WMIC.exe PID 1876 wrote to memory of 1212 1876 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵PID:1212
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5dce9b749d38fdc247ab517e8a76e6102
SHA1d6c5b6548e1a3da3326bd097c50c49fc7906be3f
SHA2565087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7
SHA51256c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446
-
Filesize
71KB
MD592d24961d2ebaacf1ace5463dfc9930d
SHA199ffaf6904ab616c33a37ce01d383e4a493df335
SHA2569013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3
SHA51277598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7