Analysis
-
max time kernel
165s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 14:45
Behavioral task
behavioral1
Sample
9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Resource
win7-20230220-en
General
-
Target
9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
-
Size
1.4MB
-
MD5
ea1dffab7eaa37262aa2d5557d8915af
-
SHA1
930924541704e8283ef0ae3ebc3dcaf3f407cef4
-
SHA256
9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0
-
SHA512
499b62c1cb105ed3f183a14d6c5420edfb016e49ed58e79f4098478a5bd631bcc4ba87681608a1c9f9dd8e9ba3b29356b481a0b124d453bc2c67f4e10674f5e9
-
SSDEEP
24576:/GU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dR/F5htSt:epEUIvU0N9jkpjweXt77d5f8
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 10 IoCs
Processes:
9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exedescription ioc process File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe File opened for modification C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4868 taskkill.exe -
Processes:
9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeAssignPrimaryTokenPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeLockMemoryPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeIncreaseQuotaPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeMachineAccountPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeTcbPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeSecurityPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeTakeOwnershipPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeLoadDriverPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeSystemProfilePrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeSystemtimePrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeProfSingleProcessPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeIncBasePriorityPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeCreatePagefilePrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeCreatePermanentPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeBackupPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeRestorePrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeShutdownPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeDebugPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeAuditPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeSystemEnvironmentPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeChangeNotifyPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeRemoteShutdownPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeUndockPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeSyncAgentPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeEnableDelegationPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeManageVolumePrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeImpersonatePrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeCreateGlobalPrivilege 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: 31 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: 32 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: 33 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: 34 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: 35 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe Token: SeDebugPrivilege 4868 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.execmd.exedescription pid process target process PID 3400 wrote to memory of 3324 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe cmd.exe PID 3400 wrote to memory of 3324 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe cmd.exe PID 3400 wrote to memory of 3324 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe cmd.exe PID 3324 wrote to memory of 4868 3324 cmd.exe taskkill.exe PID 3324 wrote to memory of 4868 3324 cmd.exe taskkill.exe PID 3324 wrote to memory of 4868 3324 cmd.exe taskkill.exe PID 3400 wrote to memory of 4876 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe chrome.exe PID 3400 wrote to memory of 4876 3400 9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe"C:\Users\Admin\AppData\Local\Temp\9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe"1⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵