6f630e829c89ab5f88750bac15739301b9cb43d13bc247c94e70b0e4295378c8

Resubmissions

02/09/2024, 21:14

240902-z3rgpsxcnm 9

02/09/2024, 21:08

240902-zyvnkaxbqj 9

02/09/2024, 20:57

240902-zrx54sxapk 9

02/09/2024, 20:52

240902-znsffsxajm 9

Analysis

max time kernel
1800s
max time network
1119s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/09/2024, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WorldWars.exe
Size

154.6MB
MD5

225cd570d533705a6798559e90ed99d9
SHA1

dadf3eccaf2b6c7183128941e3b854b8e6f21cec
SHA256

b4f796f1cd929e6da285b3469f8ad9a2ae9ef4d383295abf0a746bf053ea4c0e
SHA512

67aefd4d858caacf7129671081cf8eae9762a5e27cf63832226da7a25f9aac3b3c19a8b4d9cd3216b6565f066259c2d7dadc86d9ca1277b659d9351054759405
SSDEEP

1572864:ITmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:7v6E70+Mk

Score

9^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Loads dropped DLL 2 IoCs

pid	Process
1300	WorldWars.exe
1300	WorldWars.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3548	tasklist.exe
2464	tasklist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
560	WorldWars.exe
560	WorldWars.exe
4592	WorldWars.exe
4592	WorldWars.exe
4592	WorldWars.exe
4592	WorldWars.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1576	WMIC.exe
Token: SeSecurityPrivilege	1576	WMIC.exe
Token: SeTakeOwnershipPrivilege	1576	WMIC.exe
Token: SeLoadDriverPrivilege	1576	WMIC.exe
Token: SeSystemProfilePrivilege	1576	WMIC.exe
Token: SeSystemtimePrivilege	1576	WMIC.exe
Token: SeProfSingleProcessPrivilege	1576	WMIC.exe
Token: SeIncBasePriorityPrivilege	1576	WMIC.exe
Token: SeCreatePagefilePrivilege	1576	WMIC.exe
Token: SeBackupPrivilege	1576	WMIC.exe
Token: SeRestorePrivilege	1576	WMIC.exe
Token: SeShutdownPrivilege	1576	WMIC.exe
Token: SeDebugPrivilege	1576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1576	WMIC.exe
Token: SeRemoteShutdownPrivilege	1576	WMIC.exe
Token: SeUndockPrivilege	1576	WMIC.exe
Token: SeManageVolumePrivilege	1576	WMIC.exe
Token: 33	1576	WMIC.exe
Token: 34	1576	WMIC.exe
Token: 35	1576	WMIC.exe
Token: 36	1576	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1576	WMIC.exe
Token: SeSecurityPrivilege	1576	WMIC.exe
Token: SeTakeOwnershipPrivilege	1576	WMIC.exe
Token: SeLoadDriverPrivilege	1576	WMIC.exe
Token: SeSystemProfilePrivilege	1576	WMIC.exe
Token: SeSystemtimePrivilege	1576	WMIC.exe
Token: SeProfSingleProcessPrivilege	1576	WMIC.exe
Token: SeIncBasePriorityPrivilege	1576	WMIC.exe
Token: SeCreatePagefilePrivilege	1576	WMIC.exe
Token: SeBackupPrivilege	1576	WMIC.exe
Token: SeRestorePrivilege	1576	WMIC.exe
Token: SeShutdownPrivilege	1576	WMIC.exe
Token: SeDebugPrivilege	1576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1576	WMIC.exe
Token: SeRemoteShutdownPrivilege	1576	WMIC.exe
Token: SeUndockPrivilege	1576	WMIC.exe
Token: SeManageVolumePrivilege	1576	WMIC.exe
Token: 33	1576	WMIC.exe
Token: 34	1576	WMIC.exe
Token: 35	1576	WMIC.exe
Token: 36	1576	WMIC.exe
Token: SeDebugPrivilege	3548	tasklist.exe
Token: SeDebugPrivilege	2464	tasklist.exe
Token: SeShutdownPrivilege	1300	WorldWars.exe
Token: SeCreatePagefilePrivilege	1300	WorldWars.exe
Token: SeShutdownPrivilege	1300	WorldWars.exe
Token: SeCreatePagefilePrivilege	1300	WorldWars.exe
Token: SeShutdownPrivilege	1300	WorldWars.exe
Token: SeCreatePagefilePrivilege	1300	WorldWars.exe
Token: SeShutdownPrivilege	1300	WorldWars.exe
Token: SeCreatePagefilePrivilege	1300	WorldWars.exe
Token: SeShutdownPrivilege	1300	WorldWars.exe
Token: SeCreatePagefilePrivilege	1300	WorldWars.exe
Token: SeShutdownPrivilege	1300	WorldWars.exe
Token: SeCreatePagefilePrivilege	1300	WorldWars.exe
Token: SeShutdownPrivilege	1300	WorldWars.exe
Token: SeCreatePagefilePrivilege	1300	WorldWars.exe
Token: SeShutdownPrivilege	1300	WorldWars.exe
Token: SeCreatePagefilePrivilege	1300	WorldWars.exe
Token: SeShutdownPrivilege	1300	WorldWars.exe
Token: SeCreatePagefilePrivilege	1300	WorldWars.exe
Token: SeShutdownPrivilege	1300	WorldWars.exe
Token: SeCreatePagefilePrivilege	1300	WorldWars.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2616	1300	WorldWars.exe	80
PID 1300 wrote to memory of 2616	1300	WorldWars.exe	80
PID 2616 wrote to memory of 1576	2616	cmd.exe	82
PID 2616 wrote to memory of 1576	2616	cmd.exe	82
PID 1300 wrote to memory of 768	1300	WorldWars.exe	84
PID 1300 wrote to memory of 768	1300	WorldWars.exe	84
PID 1300 wrote to memory of 1572	1300	WorldWars.exe	85
PID 1300 wrote to memory of 1572	1300	WorldWars.exe	85
PID 1572 wrote to memory of 3548	1572	cmd.exe	88
PID 1572 wrote to memory of 3548	1572	cmd.exe	88
PID 768 wrote to memory of 2464	768	cmd.exe	89
PID 768 wrote to memory of 2464	768	cmd.exe	89
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 2920	1300	WorldWars.exe	90
PID 1300 wrote to memory of 560	1300	WorldWars.exe	91
PID 1300 wrote to memory of 560	1300	WorldWars.exe	91
PID 1300 wrote to memory of 4592	1300	WorldWars.exe	92
PID 1300 wrote to memory of 4592	1300	WorldWars.exe	92

C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
"C:\Users\Admin\AppData\Local\Temp\WorldWars.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3548
- C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
  "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\unitygame-setup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1872 --field-trial-handle=1876,i,18446229219209449067,11794341009866648329,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
  "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\unitygame-setup" --mojo-platform-channel-handle=2068 --field-trial-handle=1876,i,18446229219209449067,11794341009866648329,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
  "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\unitygame-setup" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1448 --field-trial-handle=1876,i,18446229219209449067,11794341009866648329,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cc0e4b9c-d1dd-42a5-b4e6-3469e83bfb19.tmp.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6729e63-c0a6-4277-9eaf-d03b17671359.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
memory/4592-43-0x000002696DBD0000-0x000002696DBD1000-memory.dmp

Filesize
4KB

Download
memory/4592-45-0x000002696DBD0000-0x000002696DBD1000-memory.dmp

Filesize
4KB

Download
memory/4592-44-0x000002696DBD0000-0x000002696DBD1000-memory.dmp

Filesize
4KB

Download
memory/4592-49-0x000002696DBD0000-0x000002696DBD1000-memory.dmp

Filesize
4KB

Download
memory/4592-52-0x000002696DBD0000-0x000002696DBD1000-memory.dmp

Filesize
4KB

Download
memory/4592-55-0x000002696DBD0000-0x000002696DBD1000-memory.dmp

Filesize
4KB

Download
memory/4592-54-0x000002696DBD0000-0x000002696DBD1000-memory.dmp

Filesize
4KB

Download
memory/4592-53-0x000002696DBD0000-0x000002696DBD1000-memory.dmp

Filesize
4KB

Download
memory/4592-50-0x000002696DBD0000-0x000002696DBD1000-memory.dmp

Filesize
4KB

Download
memory/4592-51-0x000002696DBD0000-0x000002696DBD1000-memory.dmp

Filesize
4KB

Download