Behavioral Report

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
1715s
max time network
1786s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 10:08

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

OnlineInstaller.exe

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory ⋅ 1 IoCs

Processes:

OnlineInstaller.tmp

description ioc process

File created C:\Windows\system32\drivers\iaStorE.sys OnlineInstaller.tmp
Executes dropped EXE ⋅ 1 IoCs

Processes:

OnlineInstaller.tmp

pid process

1708 OnlineInstaller.tmp
Checks for any installed AV software in registry ⋅ 1 TTPs 1 IoCs

TTPs:

Security Software Discovery

Processes:

OnlineInstaller.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira OnlineInstaller.exe

description	ioc	process
File created	C:\Windows\system32\drivers\iaStorE.sys	OnlineInstaller.tmp

pid	process
1708	OnlineInstaller.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	OnlineInstaller.exe

Drops file in System32 directory ⋅ 6 IoCs

Processes:

OnlineInstaller.tmp

description	ioc	process
File created	C:\Windows\system32\spoolsr.exe	OnlineInstaller.tmp
File created	C:\Windows\system32\MS.dat	OnlineInstaller.tmp
File created	C:\Windows\system32\KeyHook64.dll	OnlineInstaller.tmp
File created	C:\Windows\system32\KH.dat	OnlineInstaller.tmp
File created	C:\Windows\system32\usp20.dll	OnlineInstaller.tmp
File created	C:\Windows\system32\UP.dat	OnlineInstaller.tmp

Suspicious use of AdjustPrivilegeToken ⋅ 4 IoCs

Processes:

OnlineInstaller.exeOnlineInstaller.tmp

description	pid	process
Token: SeDebugPrivilege	540	OnlineInstaller.exe
Token: SeLoadDriverPrivilege	540	OnlineInstaller.exe
Token: SeDebugPrivilege	1708	OnlineInstaller.tmp
Token: SeLoadDriverPrivilege	1708	OnlineInstaller.tmp

Suspicious use of WriteProcessMemory ⋅ 3 IoCs

Processes:

OnlineInstaller.exe

description	pid	process	target process
PID 540 wrote to memory of 1708	540	OnlineInstaller.exe	OnlineInstaller.tmp
PID 540 wrote to memory of 1708	540	OnlineInstaller.exe	OnlineInstaller.tmp
PID 540 wrote to memory of 1708	540	OnlineInstaller.exe	OnlineInstaller.tmp

C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.exe"

Checks for any installed AV software in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:540

C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp

C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp -install

Drops file in Drivers directory
Executes dropped EXE
Drops file in System32 directory
Suspicious use of AdjustPrivilegeToken

PID:1708

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Security Software Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp
MD5
4b042bfd9c11ab6a3fb78fa5c34f55d0

SHA1
b0f506640c205d3fbcfe90bde81e49934b870eab

SHA256
59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

SHA512
dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp
MD5
4b042bfd9c11ab6a3fb78fa5c34f55d0

SHA1
b0f506640c205d3fbcfe90bde81e49934b870eab

SHA256
59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

SHA512
dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

Download Submit
memory/1708-0-0x0000000000000000-mapping.dmp

Download