Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2023 03:37
Behavioral task
behavioral1
Sample
c15d46edf699c4cfbb7cfaff3e9ee1e6.exe
Resource
win7-20230220-en
General
-
Target
c15d46edf699c4cfbb7cfaff3e9ee1e6.exe
-
Size
81KB
-
MD5
c15d46edf699c4cfbb7cfaff3e9ee1e6
-
SHA1
0b96f22d36535f240c5c147131e71d71433838c2
-
SHA256
3fd05dba23b1fbbd47fb46c2fecb520a0da9e1d04974bf95aba043ddb8b4fbd4
-
SHA512
12caee5e5310f2cf9b38baa6bcf65d44b7cb478f5f463ab5a7ad1049275dcab935d5459227841379d175a83ed7eab80906a7dc4962923ec887b00de87087cbbe
-
SSDEEP
1536:FSnLHdPqT83kNsteY4g7M3xn5phR1bpTvcEYhkZkeA:FyZntV4sM3xn5mEYKkeA
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
c15d46edf699c4cfbb7cfaff3e9ee1e6.exedescription pid process Token: SeImpersonatePrivilege 1224 c15d46edf699c4cfbb7cfaff3e9ee1e6.exe Token: SeTcbPrivilege 1224 c15d46edf699c4cfbb7cfaff3e9ee1e6.exe Token: SeChangeNotifyPrivilege 1224 c15d46edf699c4cfbb7cfaff3e9ee1e6.exe Token: SeCreateTokenPrivilege 1224 c15d46edf699c4cfbb7cfaff3e9ee1e6.exe Token: SeBackupPrivilege 1224 c15d46edf699c4cfbb7cfaff3e9ee1e6.exe Token: SeRestorePrivilege 1224 c15d46edf699c4cfbb7cfaff3e9ee1e6.exe Token: SeIncreaseQuotaPrivilege 1224 c15d46edf699c4cfbb7cfaff3e9ee1e6.exe Token: SeAssignPrimaryTokenPrivilege 1224 c15d46edf699c4cfbb7cfaff3e9ee1e6.exe