Analysis
-
max time kernel
27s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2023 07:46
Static task
static1
Behavioral task
behavioral1
Sample
WWSBot.exe
Resource
win7-20230220-en
General
-
Target
WWSBot.exe
-
Size
307.5MB
-
MD5
9be38374c8a6d743747494d645dbe76b
-
SHA1
123c3a9149b00d50c2b20aada2c6ae9f3cce55e5
-
SHA256
9ca89cf3afe2d41cedf5c361a43388d90c6e69ff7625e0209c4b135b2e448d45
-
SHA512
29dbda5921deb999010379a996f16f0640de891dc85f36e4175f3ec0dd381bfe8c52da05d42408d4b036427ba8d4c00f79149d25280b4cffc291cdb4e0643727
-
SSDEEP
24576:tN+qbmS6e/1ijwnQFpP1CJUmWw5/Ky9YawDZoaZC0gvbm49kLDA5gHdf6sxJwESo:WqbmSL/0wnQX1C3gk+lKbyf/z1
Malware Config
Extracted
aurora
94.142.138.29:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
WWSBot.exedescription pid process target process PID 1172 set thread context of 1044 1172 WWSBot.exe WWSBot.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1388 wmic.exe Token: SeSecurityPrivilege 1388 wmic.exe Token: SeTakeOwnershipPrivilege 1388 wmic.exe Token: SeLoadDriverPrivilege 1388 wmic.exe Token: SeSystemProfilePrivilege 1388 wmic.exe Token: SeSystemtimePrivilege 1388 wmic.exe Token: SeProfSingleProcessPrivilege 1388 wmic.exe Token: SeIncBasePriorityPrivilege 1388 wmic.exe Token: SeCreatePagefilePrivilege 1388 wmic.exe Token: SeBackupPrivilege 1388 wmic.exe Token: SeRestorePrivilege 1388 wmic.exe Token: SeShutdownPrivilege 1388 wmic.exe Token: SeDebugPrivilege 1388 wmic.exe Token: SeSystemEnvironmentPrivilege 1388 wmic.exe Token: SeRemoteShutdownPrivilege 1388 wmic.exe Token: SeUndockPrivilege 1388 wmic.exe Token: SeManageVolumePrivilege 1388 wmic.exe Token: 33 1388 wmic.exe Token: 34 1388 wmic.exe Token: 35 1388 wmic.exe Token: SeIncreaseQuotaPrivilege 1388 wmic.exe Token: SeSecurityPrivilege 1388 wmic.exe Token: SeTakeOwnershipPrivilege 1388 wmic.exe Token: SeLoadDriverPrivilege 1388 wmic.exe Token: SeSystemProfilePrivilege 1388 wmic.exe Token: SeSystemtimePrivilege 1388 wmic.exe Token: SeProfSingleProcessPrivilege 1388 wmic.exe Token: SeIncBasePriorityPrivilege 1388 wmic.exe Token: SeCreatePagefilePrivilege 1388 wmic.exe Token: SeBackupPrivilege 1388 wmic.exe Token: SeRestorePrivilege 1388 wmic.exe Token: SeShutdownPrivilege 1388 wmic.exe Token: SeDebugPrivilege 1388 wmic.exe Token: SeSystemEnvironmentPrivilege 1388 wmic.exe Token: SeRemoteShutdownPrivilege 1388 wmic.exe Token: SeUndockPrivilege 1388 wmic.exe Token: SeManageVolumePrivilege 1388 wmic.exe Token: 33 1388 wmic.exe Token: 34 1388 wmic.exe Token: 35 1388 wmic.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
WWSBot.exeWWSBot.execmd.execmd.exedescription pid process target process PID 1172 wrote to memory of 1044 1172 WWSBot.exe WWSBot.exe PID 1172 wrote to memory of 1044 1172 WWSBot.exe WWSBot.exe PID 1172 wrote to memory of 1044 1172 WWSBot.exe WWSBot.exe PID 1172 wrote to memory of 1044 1172 WWSBot.exe WWSBot.exe PID 1172 wrote to memory of 1044 1172 WWSBot.exe WWSBot.exe PID 1172 wrote to memory of 1044 1172 WWSBot.exe WWSBot.exe PID 1172 wrote to memory of 1044 1172 WWSBot.exe WWSBot.exe PID 1172 wrote to memory of 1044 1172 WWSBot.exe WWSBot.exe PID 1172 wrote to memory of 1044 1172 WWSBot.exe WWSBot.exe PID 1172 wrote to memory of 1044 1172 WWSBot.exe WWSBot.exe PID 1172 wrote to memory of 1044 1172 WWSBot.exe WWSBot.exe PID 1044 wrote to memory of 1388 1044 WWSBot.exe wmic.exe PID 1044 wrote to memory of 1388 1044 WWSBot.exe wmic.exe PID 1044 wrote to memory of 1388 1044 WWSBot.exe wmic.exe PID 1044 wrote to memory of 664 1044 WWSBot.exe cmd.exe PID 1044 wrote to memory of 664 1044 WWSBot.exe cmd.exe PID 1044 wrote to memory of 664 1044 WWSBot.exe cmd.exe PID 664 wrote to memory of 2036 664 cmd.exe WMIC.exe PID 664 wrote to memory of 2036 664 cmd.exe WMIC.exe PID 664 wrote to memory of 2036 664 cmd.exe WMIC.exe PID 1044 wrote to memory of 892 1044 WWSBot.exe cmd.exe PID 1044 wrote to memory of 892 1044 WWSBot.exe cmd.exe PID 1044 wrote to memory of 892 1044 WWSBot.exe cmd.exe PID 892 wrote to memory of 296 892 cmd.exe WMIC.exe PID 892 wrote to memory of 296 892 cmd.exe WMIC.exe PID 892 wrote to memory of 296 892 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD5e5e81f0ae5ba9a2ac3db0a17d3c9f810
SHA1c2d6bdf002325094ff399b1e4c36df575b48ee4f
SHA256a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3
SHA512cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce
-
memory/1044-62-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-59-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-64-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-58-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-65-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-60-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-61-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmpFilesize
4KB
-
memory/1044-66-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-57-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-56-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-54-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-67-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-68-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-69-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-70-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-55-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/1044-102-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB