Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 14:31
Static task
static1
Behavioral task
behavioral1
Sample
60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
Resource
win7-20230220-en
General
-
Target
60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
-
Size
7.5MB
-
MD5
1431d295525534f244dd34a8a311b87f
-
SHA1
2d0d2190ed780bf8dfed135bd1d12cae53860ebe
-
SHA256
60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e
-
SHA512
dd7085d43c12c1c7d59be73e66e5797966f7310fdd40ff2979fc770fa6fb5164484661fdfa7b73f8fc7a2dac32a452683f021e56fa4b1135bbbb9d140794ee02
-
SSDEEP
24576:2H5qGTyaJEUcmADwRqPACrUJJiILBCR5LpWKMuy1rnwNnNQx/PEEDnpfuZWI9pIx:4qGTyMEQADwwACagk+lKo83Vz1
Malware Config
Extracted
aurora
45.15.156.172:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exedescription pid process target process PID 4520 set thread context of 2276 4520 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4436 wmic.exe Token: SeSecurityPrivilege 4436 wmic.exe Token: SeTakeOwnershipPrivilege 4436 wmic.exe Token: SeLoadDriverPrivilege 4436 wmic.exe Token: SeSystemProfilePrivilege 4436 wmic.exe Token: SeSystemtimePrivilege 4436 wmic.exe Token: SeProfSingleProcessPrivilege 4436 wmic.exe Token: SeIncBasePriorityPrivilege 4436 wmic.exe Token: SeCreatePagefilePrivilege 4436 wmic.exe Token: SeBackupPrivilege 4436 wmic.exe Token: SeRestorePrivilege 4436 wmic.exe Token: SeShutdownPrivilege 4436 wmic.exe Token: SeDebugPrivilege 4436 wmic.exe Token: SeSystemEnvironmentPrivilege 4436 wmic.exe Token: SeRemoteShutdownPrivilege 4436 wmic.exe Token: SeUndockPrivilege 4436 wmic.exe Token: SeManageVolumePrivilege 4436 wmic.exe Token: 33 4436 wmic.exe Token: 34 4436 wmic.exe Token: 35 4436 wmic.exe Token: 36 4436 wmic.exe Token: SeIncreaseQuotaPrivilege 4436 wmic.exe Token: SeSecurityPrivilege 4436 wmic.exe Token: SeTakeOwnershipPrivilege 4436 wmic.exe Token: SeLoadDriverPrivilege 4436 wmic.exe Token: SeSystemProfilePrivilege 4436 wmic.exe Token: SeSystemtimePrivilege 4436 wmic.exe Token: SeProfSingleProcessPrivilege 4436 wmic.exe Token: SeIncBasePriorityPrivilege 4436 wmic.exe Token: SeCreatePagefilePrivilege 4436 wmic.exe Token: SeBackupPrivilege 4436 wmic.exe Token: SeRestorePrivilege 4436 wmic.exe Token: SeShutdownPrivilege 4436 wmic.exe Token: SeDebugPrivilege 4436 wmic.exe Token: SeSystemEnvironmentPrivilege 4436 wmic.exe Token: SeRemoteShutdownPrivilege 4436 wmic.exe Token: SeUndockPrivilege 4436 wmic.exe Token: SeManageVolumePrivilege 4436 wmic.exe Token: 33 4436 wmic.exe Token: 34 4436 wmic.exe Token: 35 4436 wmic.exe Token: 36 4436 wmic.exe Token: SeIncreaseQuotaPrivilege 4172 WMIC.exe Token: SeSecurityPrivilege 4172 WMIC.exe Token: SeTakeOwnershipPrivilege 4172 WMIC.exe Token: SeLoadDriverPrivilege 4172 WMIC.exe Token: SeSystemProfilePrivilege 4172 WMIC.exe Token: SeSystemtimePrivilege 4172 WMIC.exe Token: SeProfSingleProcessPrivilege 4172 WMIC.exe Token: SeIncBasePriorityPrivilege 4172 WMIC.exe Token: SeCreatePagefilePrivilege 4172 WMIC.exe Token: SeBackupPrivilege 4172 WMIC.exe Token: SeRestorePrivilege 4172 WMIC.exe Token: SeShutdownPrivilege 4172 WMIC.exe Token: SeDebugPrivilege 4172 WMIC.exe Token: SeSystemEnvironmentPrivilege 4172 WMIC.exe Token: SeRemoteShutdownPrivilege 4172 WMIC.exe Token: SeUndockPrivilege 4172 WMIC.exe Token: SeManageVolumePrivilege 4172 WMIC.exe Token: 33 4172 WMIC.exe Token: 34 4172 WMIC.exe Token: 35 4172 WMIC.exe Token: 36 4172 WMIC.exe Token: SeIncreaseQuotaPrivilege 4172 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.execmd.execmd.exedescription pid process target process PID 4520 wrote to memory of 2276 4520 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe PID 4520 wrote to memory of 2276 4520 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe PID 4520 wrote to memory of 2276 4520 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe PID 4520 wrote to memory of 2276 4520 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe PID 4520 wrote to memory of 2276 4520 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe PID 4520 wrote to memory of 2276 4520 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe PID 4520 wrote to memory of 2276 4520 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe PID 4520 wrote to memory of 2276 4520 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe PID 4520 wrote to memory of 2276 4520 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe PID 4520 wrote to memory of 2276 4520 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe PID 2276 wrote to memory of 4436 2276 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe wmic.exe PID 2276 wrote to memory of 4436 2276 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe wmic.exe PID 2276 wrote to memory of 1008 2276 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe cmd.exe PID 2276 wrote to memory of 1008 2276 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe cmd.exe PID 1008 wrote to memory of 4172 1008 cmd.exe WMIC.exe PID 1008 wrote to memory of 4172 1008 cmd.exe WMIC.exe PID 2276 wrote to memory of 1408 2276 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe cmd.exe PID 2276 wrote to memory of 1408 2276 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe cmd.exe PID 1408 wrote to memory of 3932 1408 cmd.exe WMIC.exe PID 1408 wrote to memory of 3932 1408 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD5dd7a4110e2dc0760efdd47ee918c0deb
SHA15ed5efe128e521023e0caf4fff9af747522c8166
SHA256550ad8794d9ec26bc7e09225cb1cbe648ee7c1c2349aabec8172f08bdec26084
SHA512c928725e5f010d371727aadcc057da91378a0b24c66b2848217e9186dd319b6bf09c0859d7bf523ff1736fc41591eb25662a900fbe3977b63132a0c40dcd35dc
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD5dc2b0f48d8f547d5ff7d67b371d850f0
SHA184d02ddbf478bf7cfe9ccb466362860ee18b3839
SHA2560434c46910f48821a0a442b510260a3faea9404d7e6a8edd2cf44cc7dfea3890
SHA5123470ae3db7053a7e606a221f97f8cadf58500a746daaa4c763d714fe99df026d1c7858aaaf6d34ec1bbaa5305f8eead00101b6a7ac6f4d457425d04bcf92e8d7
-
memory/2276-147-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB
-
memory/2276-144-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB
-
memory/2276-146-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB
-
memory/2276-145-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB
-
memory/2276-133-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB
-
memory/2276-148-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB
-
memory/2276-150-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB
-
memory/2276-151-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB
-
memory/2276-143-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB
-
memory/2276-138-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB
-
memory/2276-206-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB
-
memory/2276-207-0x0000000000C20000-0x0000000000F7C000-memory.dmpFilesize
3.4MB