Overview

overview

6

Static

static

appinstall.exe

windows7_x64

1

appinstall.exe

windows10_x64

6

Resubmissions

06-03-2021 03:32

210306-m3rvqme486 6

29-05-2020 01:26

200529-gb7z4ayft2 6

28-05-2020 12:20

200528-54npk69lb6 10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    29-05-2020 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    appinstall.exe

  • Size

    168KB

  • MD5

    4aea355a977144665082077acfe9528b

  • SHA1

    1fcfc6db3d051c15e043c0cec6d788a5368347b3

  • SHA256

    662df407f177b9d63dc16fe5c1068d65c8e1fbe602d05a7cae1db651179b746e

  • SHA512

    785c5b6d437ea566bfe801d6c32ef6df8d543d681daf9ab44a6d0a9c1b3cd47481b8bca2ebf8a7e4fe51265662e63e62b78d771e7861d821bde6ac45b6c719f3

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\appinstall.exe
    "C:\Users\Admin\AppData\Local\Temp\appinstall.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\d92t4y" /v nt3ckj /t REG_DWORD /d 0
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3256
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\d92t4y" /v nt3ckj /t REG_DWORD /d 0
        3⤵
          PID:368
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" >> NUL
        2⤵
          PID:572

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Install Root Certificate

      1
      T1130

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/368-4-0x0000000000000000-mapping.dmp
        Download
      • memory/572-3-0x0000000000000000-mapping.dmp
        Download
      • memory/3256-2-0x0000000000000000-mapping.dmp
        Download