Resubmissions

16/07/2024, 12:36

240716-ps1mhswamh 7

16/07/2024, 01:37

240716-b2cedsyhjn 7

16/07/2024, 00:50

240716-a64h1azfkb 8

Analysis

  • max time kernel
    1801s
  • max time network
    1598s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/07/2024, 12:36

General

  • Target

    WorldWars.exe

  • Size

    154.6MB

  • MD5

    2083e38dc689c08455a74b5201f3ebb2

  • SHA1

    b905d6d3ba73eba3b219ea6de7bb7e42de2605fb

  • SHA256

    5a48729eeb6e105d5849faee5d4888841c02263622e2fdd5b66309186910d7a2

  • SHA512

    6d16116a78aded98f26b44f6277e92f7f3296a752eef8247b3976f718e5b79144f353451687ebde16f6a559d868b25b46a2b9c84dc306c015507ae93efadc528

  • SSDEEP

    1572864:uTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:pv6E70+Mk

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
    "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4164
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2228
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4580
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1604
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,228,173,236,142,239,113,195,75,140,113,18,38,91,244,218,123,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,129,175,135,137,185,122,77,189,62,225,253,172,49,176,39,145,226,85,134,62,188,107,177,176,62,170,133,52,43,26,154,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,228,95,112,198,161,112,115,223,80,16,27,225,178,137,144,253,199,132,5,44,234,91,70,221,134,160,202,96,25,132,25,103,48,0,0,0,121,154,6,88,102,246,48,57,103,179,211,145,8,41,212,106,223,226,139,239,64,117,157,14,32,8,120,144,61,41,221,76,103,54,215,48,236,252,72,145,132,62,174,200,105,234,37,197,64,0,0,0,40,230,37,237,32,116,71,253,91,223,25,180,29,81,3,119,31,171,175,42,137,247,20,242,139,67,213,206,8,12,224,33,136,111,86,248,76,24,8,69,11,106,124,80,119,147,64,147,218,108,250,75,125,139,6,105,1,28,134,6,76,60,43,69), $null, 'CurrentUser')"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,228,173,236,142,239,113,195,75,140,113,18,38,91,244,218,123,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,129,175,135,137,185,122,77,189,62,225,253,172,49,176,39,145,226,85,134,62,188,107,177,176,62,170,133,52,43,26,154,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,228,95,112,198,161,112,115,223,80,16,27,225,178,137,144,253,199,132,5,44,234,91,70,221,134,160,202,96,25,132,25,103,48,0,0,0,121,154,6,88,102,246,48,57,103,179,211,145,8,41,212,106,223,226,139,239,64,117,157,14,32,8,120,144,61,41,221,76,103,54,215,48,236,252,72,145,132,62,174,200,105,234,37,197,64,0,0,0,40,230,37,237,32,116,71,253,91,223,25,180,29,81,3,119,31,171,175,42,137,247,20,242,139,67,213,206,8,12,224,33,136,111,86,248,76,24,8,69,11,106,124,80,119,147,64,147,218,108,250,75,125,139,6,105,1,28,134,6,76,60,43,69), $null, 'CurrentUser')
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3824
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic cpu get name
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4604
    • C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
      "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1832,i,9497895560325006605,7764077364719857167,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:4972
      • C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
        "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --mojo-platform-channel-handle=1296 --field-trial-handle=1832,i,9497895560325006605,7764077364719857167,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4200
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get ProcessorId"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4916
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic cpu get ProcessorId
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4576
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get Product"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3804
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic baseboard get Product
          3⤵
            PID:2532
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get SerialNumber"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:760
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic baseboard get SerialNumber
            3⤵
              PID:932
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"
            2⤵
              PID:4716
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic OS get caption
                3⤵
                  PID:2820
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get TotalPhysicalMemory"
                2⤵
                  PID:1808
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic computersystem get TotalPhysicalMemory
                    3⤵
                      PID:2952
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get caption,PNPDeviceID"
                    2⤵
                      PID:1324
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic path win32_videocontroller get caption,PNPDeviceID
                        3⤵
                          PID:3188
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get SerialNumber"
                        2⤵
                          PID:2456
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic diskdrive get SerialNumber
                            3⤵
                              PID:3384
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
                            2⤵
                              PID:4440
                              • C:\Windows\System32\Wbem\WMIC.exe
                                wmic path win32_computersystemproduct get uuid
                                3⤵
                                  PID:2828
                              • C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
                                "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1832,i,9497895560325006605,7764077364719857167,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4928

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                              Filesize

                              3KB

                              MD5

                              5d574dc518025fad52b7886c1bff0e13

                              SHA1

                              68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

                              SHA256

                              755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

                              SHA512

                              21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              1KB

                              MD5

                              7c22e95712cefeaccd922518e510de20

                              SHA1

                              957785f8103b63e63ec41e7e17b83590e5666067

                              SHA256

                              d14ce415bc7aac5c5e0fc1a06f2388742cb6f07eb60e50f36e746ae15d2e486c

                              SHA512

                              9a2bfdc8b5e852be882616e2f53ca00b821e8e51eff3bb1d2f37e49f9dcd4771d3373f49bcb1c201072796beb58140d22b1465e668490130b142c9cffdfa1d81

                            • C:\Users\Admin\AppData\Local\Temp\Passwords.txt

                              Filesize

                              14B

                              MD5

                              b4b41665eb819824e886204a28cc610b

                              SHA1

                              e778edb6f635f665c0b512748b8fec6a2a23a88b

                              SHA256

                              635f814c1f34ee53ee62b67f989fec91eb0e08f63769ab4bd22cf4206a2cfff6

                              SHA512

                              37648652b1df14aa427382a4dac70d58a107d3dd77bd1977afc3acce8c56b7b6531b67d33f4b61b9fb8fbb9230ab0dfd461db07c1cc11a2923604e910a743d67

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_alnmm1u0.axh.ps1

                              Filesize

                              1B

                              MD5

                              c4ca4238a0b923820dcc509a6f75849b

                              SHA1

                              356a192b7913b04c54574d18c28d46e6395428ab

                              SHA256

                              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                              SHA512

                              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                            • \Users\Admin\AppData\Local\Temp\01a6620f-0228-44ea-b102-a12495072841.tmp.node

                              Filesize

                              1.4MB

                              MD5

                              56192831a7f808874207ba593f464415

                              SHA1

                              e0c18c72a62692d856da1f8988b0bc9c8088d2aa

                              SHA256

                              6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

                              SHA512

                              c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

                            • memory/2228-12-0x0000021178610000-0x0000021178632000-memory.dmp

                              Filesize

                              136KB

                            • memory/2228-15-0x00000211787E0000-0x0000021178856000-memory.dmp

                              Filesize

                              472KB

                            • memory/3824-69-0x0000018355070000-0x00000183550C0000-memory.dmp

                              Filesize

                              320KB