Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-03-2024 15:53
Behavioral task
behavioral1
Sample
f364d1b15bb2049549d9084496ad239b.exe
Resource
win7-20240221-en
windows7-x64
1 signatures
150 seconds
General
-
Target
f364d1b15bb2049549d9084496ad239b.exe
-
Size
4.8MB
-
MD5
f364d1b15bb2049549d9084496ad239b
-
SHA1
adbe8eb29c5e442a8515ba9c63a62126427ada8e
-
SHA256
e846d3cfad85b09f8fdb0460fff53cfda1176f4e9e420bf60ed88d39b1ef93db
-
SHA512
e94de32df4aebade28b24ba7007db2e002714b721e788de70f1f4080c72133742452b076da03530547cb18cea3d1c0cda84417d49810069076020b9fc610346f
-
SSDEEP
98304:GL4AFoEMQEbPjwV/xQzp2FMhsTBfkIS2oFw5gmpp4k:26EMnb7kZw4FMaTRkItym
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/5004-0-0x00007FF7DAFA0000-0x00007FF7DBE22000-memory.dmp upx behavioral2/memory/5004-16-0x00007FF7DAFA0000-0x00007FF7DBE22000-memory.dmp upx -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ipinfo.io -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1972 wmic.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 6 Go-http-client/1.1 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5004 f364d1b15bb2049549d9084496ad239b.exe Token: SeIncreaseQuotaPrivilege 5104 wmic.exe Token: SeSecurityPrivilege 5104 wmic.exe Token: SeTakeOwnershipPrivilege 5104 wmic.exe Token: SeLoadDriverPrivilege 5104 wmic.exe Token: SeSystemProfilePrivilege 5104 wmic.exe Token: SeSystemtimePrivilege 5104 wmic.exe Token: SeProfSingleProcessPrivilege 5104 wmic.exe Token: SeIncBasePriorityPrivilege 5104 wmic.exe Token: SeCreatePagefilePrivilege 5104 wmic.exe Token: SeBackupPrivilege 5104 wmic.exe Token: SeRestorePrivilege 5104 wmic.exe Token: SeShutdownPrivilege 5104 wmic.exe Token: SeDebugPrivilege 5104 wmic.exe Token: SeSystemEnvironmentPrivilege 5104 wmic.exe Token: SeRemoteShutdownPrivilege 5104 wmic.exe Token: SeUndockPrivilege 5104 wmic.exe Token: SeManageVolumePrivilege 5104 wmic.exe Token: 33 5104 wmic.exe Token: 34 5104 wmic.exe Token: 35 5104 wmic.exe Token: 36 5104 wmic.exe Token: SeIncreaseQuotaPrivilege 5104 wmic.exe Token: SeSecurityPrivilege 5104 wmic.exe Token: SeTakeOwnershipPrivilege 5104 wmic.exe Token: SeLoadDriverPrivilege 5104 wmic.exe Token: SeSystemProfilePrivilege 5104 wmic.exe Token: SeSystemtimePrivilege 5104 wmic.exe Token: SeProfSingleProcessPrivilege 5104 wmic.exe Token: SeIncBasePriorityPrivilege 5104 wmic.exe Token: SeCreatePagefilePrivilege 5104 wmic.exe Token: SeBackupPrivilege 5104 wmic.exe Token: SeRestorePrivilege 5104 wmic.exe Token: SeShutdownPrivilege 5104 wmic.exe Token: SeDebugPrivilege 5104 wmic.exe Token: SeSystemEnvironmentPrivilege 5104 wmic.exe Token: SeRemoteShutdownPrivilege 5104 wmic.exe Token: SeUndockPrivilege 5104 wmic.exe Token: SeManageVolumePrivilege 5104 wmic.exe Token: 33 5104 wmic.exe Token: 34 5104 wmic.exe Token: 35 5104 wmic.exe Token: 36 5104 wmic.exe Token: SeIncreaseQuotaPrivilege 1972 wmic.exe Token: SeSecurityPrivilege 1972 wmic.exe Token: SeTakeOwnershipPrivilege 1972 wmic.exe Token: SeLoadDriverPrivilege 1972 wmic.exe Token: SeSystemProfilePrivilege 1972 wmic.exe Token: SeSystemtimePrivilege 1972 wmic.exe Token: SeProfSingleProcessPrivilege 1972 wmic.exe Token: SeIncBasePriorityPrivilege 1972 wmic.exe Token: SeCreatePagefilePrivilege 1972 wmic.exe Token: SeBackupPrivilege 1972 wmic.exe Token: SeRestorePrivilege 1972 wmic.exe Token: SeShutdownPrivilege 1972 wmic.exe Token: SeDebugPrivilege 1972 wmic.exe Token: SeSystemEnvironmentPrivilege 1972 wmic.exe Token: SeRemoteShutdownPrivilege 1972 wmic.exe Token: SeUndockPrivilege 1972 wmic.exe Token: SeManageVolumePrivilege 1972 wmic.exe Token: 33 1972 wmic.exe Token: 34 1972 wmic.exe Token: 35 1972 wmic.exe Token: 36 1972 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 5004 wrote to memory of 5104 5004 f364d1b15bb2049549d9084496ad239b.exe 95 PID 5004 wrote to memory of 5104 5004 f364d1b15bb2049549d9084496ad239b.exe 95 PID 5004 wrote to memory of 1972 5004 f364d1b15bb2049549d9084496ad239b.exe 97 PID 5004 wrote to memory of 1972 5004 f364d1b15bb2049549d9084496ad239b.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\f364d1b15bb2049549d9084496ad239b.exe"C:\Users\Admin\AppData\Local\Temp\f364d1b15bb2049549d9084496ad239b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\System32\Wbem\wmic.exewmic cpu get name2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
C:\Windows\System32\Wbem\wmic.exewmic path win32_VideoController get name2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:4472