Analysis
-
max time kernel
50s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-05-2023 14:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
13adf671ae056aa0e01e696c05736758
-
SHA1
151edf47d4cf1f8bebe095502b4f4e8ed06dc59b
-
SHA256
68837e50b37413708ed70f69651613342706345d14d3c2c21ed8ca3e298e5115
-
SHA512
ae8b633b4234bb470b4acc16c267086a69c12ee6b5bc292b44d1b5536ee47c9517a7201c5f424224938ea5e9875a9ed7f0bef1e9ddd62876cfc12287870e67bf
-
SSDEEP
12288:3y7uix2TBXVnBGw4I/6QTdp7lRpIlfMer5iiTvdyyF55bI8NMXzpuwFKzCctAtdX:SFzMXzAwPZ
Score
6/10
Malware Config
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1056 set thread context of 924 1056 file.exe 28 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe 1056 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1056 file.exe Token: SeDebugPrivilege 924 InstallUtil.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1056 wrote to memory of 924 1056 file.exe 28 PID 1056 wrote to memory of 924 1056 file.exe 28 PID 1056 wrote to memory of 924 1056 file.exe 28 PID 1056 wrote to memory of 924 1056 file.exe 28 PID 1056 wrote to memory of 924 1056 file.exe 28 PID 1056 wrote to memory of 924 1056 file.exe 28 PID 1056 wrote to memory of 924 1056 file.exe 28 PID 1056 wrote to memory of 924 1056 file.exe 28 PID 1056 wrote to memory of 924 1056 file.exe 28 PID 1056 wrote to memory of 924 1056 file.exe 28 PID 1056 wrote to memory of 924 1056 file.exe 28 PID 1056 wrote to memory of 924 1056 file.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:924
-