Analysis
-
max time kernel
90s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 07:46
Static task
static1
Behavioral task
behavioral1
Sample
WWSBot.exe
Resource
win7-20230220-en
General
-
Target
WWSBot.exe
-
Size
307.5MB
-
MD5
9be38374c8a6d743747494d645dbe76b
-
SHA1
123c3a9149b00d50c2b20aada2c6ae9f3cce55e5
-
SHA256
9ca89cf3afe2d41cedf5c361a43388d90c6e69ff7625e0209c4b135b2e448d45
-
SHA512
29dbda5921deb999010379a996f16f0640de891dc85f36e4175f3ec0dd381bfe8c52da05d42408d4b036427ba8d4c00f79149d25280b4cffc291cdb4e0643727
-
SSDEEP
24576:tN+qbmS6e/1ijwnQFpP1CJUmWw5/Ky9YawDZoaZC0gvbm49kLDA5gHdf6sxJwESo:WqbmSL/0wnQX1C3gk+lKbyf/z1
Malware Config
Extracted
aurora
94.142.138.29:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
WWSBot.exedescription pid process target process PID 2280 set thread context of 4132 2280 WWSBot.exe WWSBot.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4420 wmic.exe Token: SeSecurityPrivilege 4420 wmic.exe Token: SeTakeOwnershipPrivilege 4420 wmic.exe Token: SeLoadDriverPrivilege 4420 wmic.exe Token: SeSystemProfilePrivilege 4420 wmic.exe Token: SeSystemtimePrivilege 4420 wmic.exe Token: SeProfSingleProcessPrivilege 4420 wmic.exe Token: SeIncBasePriorityPrivilege 4420 wmic.exe Token: SeCreatePagefilePrivilege 4420 wmic.exe Token: SeBackupPrivilege 4420 wmic.exe Token: SeRestorePrivilege 4420 wmic.exe Token: SeShutdownPrivilege 4420 wmic.exe Token: SeDebugPrivilege 4420 wmic.exe Token: SeSystemEnvironmentPrivilege 4420 wmic.exe Token: SeRemoteShutdownPrivilege 4420 wmic.exe Token: SeUndockPrivilege 4420 wmic.exe Token: SeManageVolumePrivilege 4420 wmic.exe Token: 33 4420 wmic.exe Token: 34 4420 wmic.exe Token: 35 4420 wmic.exe Token: 36 4420 wmic.exe Token: SeIncreaseQuotaPrivilege 4420 wmic.exe Token: SeSecurityPrivilege 4420 wmic.exe Token: SeTakeOwnershipPrivilege 4420 wmic.exe Token: SeLoadDriverPrivilege 4420 wmic.exe Token: SeSystemProfilePrivilege 4420 wmic.exe Token: SeSystemtimePrivilege 4420 wmic.exe Token: SeProfSingleProcessPrivilege 4420 wmic.exe Token: SeIncBasePriorityPrivilege 4420 wmic.exe Token: SeCreatePagefilePrivilege 4420 wmic.exe Token: SeBackupPrivilege 4420 wmic.exe Token: SeRestorePrivilege 4420 wmic.exe Token: SeShutdownPrivilege 4420 wmic.exe Token: SeDebugPrivilege 4420 wmic.exe Token: SeSystemEnvironmentPrivilege 4420 wmic.exe Token: SeRemoteShutdownPrivilege 4420 wmic.exe Token: SeUndockPrivilege 4420 wmic.exe Token: SeManageVolumePrivilege 4420 wmic.exe Token: 33 4420 wmic.exe Token: 34 4420 wmic.exe Token: 35 4420 wmic.exe Token: 36 4420 wmic.exe Token: SeIncreaseQuotaPrivilege 3764 WMIC.exe Token: SeSecurityPrivilege 3764 WMIC.exe Token: SeTakeOwnershipPrivilege 3764 WMIC.exe Token: SeLoadDriverPrivilege 3764 WMIC.exe Token: SeSystemProfilePrivilege 3764 WMIC.exe Token: SeSystemtimePrivilege 3764 WMIC.exe Token: SeProfSingleProcessPrivilege 3764 WMIC.exe Token: SeIncBasePriorityPrivilege 3764 WMIC.exe Token: SeCreatePagefilePrivilege 3764 WMIC.exe Token: SeBackupPrivilege 3764 WMIC.exe Token: SeRestorePrivilege 3764 WMIC.exe Token: SeShutdownPrivilege 3764 WMIC.exe Token: SeDebugPrivilege 3764 WMIC.exe Token: SeSystemEnvironmentPrivilege 3764 WMIC.exe Token: SeRemoteShutdownPrivilege 3764 WMIC.exe Token: SeUndockPrivilege 3764 WMIC.exe Token: SeManageVolumePrivilege 3764 WMIC.exe Token: 33 3764 WMIC.exe Token: 34 3764 WMIC.exe Token: 35 3764 WMIC.exe Token: 36 3764 WMIC.exe Token: SeIncreaseQuotaPrivilege 3764 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WWSBot.exeWWSBot.execmd.execmd.exedescription pid process target process PID 2280 wrote to memory of 4132 2280 WWSBot.exe WWSBot.exe PID 2280 wrote to memory of 4132 2280 WWSBot.exe WWSBot.exe PID 2280 wrote to memory of 4132 2280 WWSBot.exe WWSBot.exe PID 2280 wrote to memory of 4132 2280 WWSBot.exe WWSBot.exe PID 2280 wrote to memory of 4132 2280 WWSBot.exe WWSBot.exe PID 2280 wrote to memory of 4132 2280 WWSBot.exe WWSBot.exe PID 2280 wrote to memory of 4132 2280 WWSBot.exe WWSBot.exe PID 2280 wrote to memory of 4132 2280 WWSBot.exe WWSBot.exe PID 2280 wrote to memory of 4132 2280 WWSBot.exe WWSBot.exe PID 2280 wrote to memory of 4132 2280 WWSBot.exe WWSBot.exe PID 4132 wrote to memory of 4420 4132 WWSBot.exe wmic.exe PID 4132 wrote to memory of 4420 4132 WWSBot.exe wmic.exe PID 4132 wrote to memory of 316 4132 WWSBot.exe cmd.exe PID 4132 wrote to memory of 316 4132 WWSBot.exe cmd.exe PID 316 wrote to memory of 3764 316 cmd.exe WMIC.exe PID 316 wrote to memory of 3764 316 cmd.exe WMIC.exe PID 4132 wrote to memory of 3360 4132 WWSBot.exe cmd.exe PID 4132 wrote to memory of 3360 4132 WWSBot.exe cmd.exe PID 3360 wrote to memory of 4220 3360 cmd.exe WMIC.exe PID 3360 wrote to memory of 4220 3360 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD577e31b1123e94ce5720ceb729a425798
SHA12b65c95f27d8dca23864a3ed4f78490039ae27bf
SHA25668cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85
SHA5129c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD5386c014d0948d4fc41afa98cfca9022e
SHA1786cc52d9b962f55f92202c7d50c3707eb62607b
SHA256448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2
SHA51213d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f
-
memory/4132-133-0x0000000000540000-0x000000000089C000-memory.dmpFilesize
3.4MB
-
memory/4132-138-0x0000000000540000-0x000000000089C000-memory.dmpFilesize
3.4MB
-
memory/4132-143-0x0000000000540000-0x000000000089C000-memory.dmpFilesize
3.4MB
-
memory/4132-144-0x0000000000540000-0x000000000089C000-memory.dmpFilesize
3.4MB
-
memory/4132-145-0x0000000000540000-0x000000000089C000-memory.dmpFilesize
3.4MB
-
memory/4132-146-0x0000000000540000-0x000000000089C000-memory.dmpFilesize
3.4MB
-
memory/4132-147-0x0000000000540000-0x000000000089C000-memory.dmpFilesize
3.4MB
-
memory/4132-148-0x0000000000540000-0x000000000089C000-memory.dmpFilesize
3.4MB
-
memory/4132-149-0x0000000000540000-0x000000000089C000-memory.dmpFilesize
3.4MB
-
memory/4132-202-0x0000000000540000-0x000000000089C000-memory.dmpFilesize
3.4MB