Downloads.rar

General
Target

OnlineInstaller.exe

Filesize

139MB

Completed

19-11-2020 10:40

Score
8 /10
Malware Config
Signatures 6

Filter: none

Discovery
  • Drops file in Drivers directory
    OnlineInstaller.tmp

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\system32\drivers\iaStorE.sysOnlineInstaller.tmp
  • Executes dropped EXE
    OnlineInstaller.tmp

    Reported IOCs

    pidprocess
    1708OnlineInstaller.tmp
  • Checks for any installed AV software in registry
    OnlineInstaller.exe

    TTPs

    Security Software Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AviraOnlineInstaller.exe
  • Drops file in System32 directory
    OnlineInstaller.tmp

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\system32\spoolsr.exeOnlineInstaller.tmp
    File createdC:\Windows\system32\MS.datOnlineInstaller.tmp
    File createdC:\Windows\system32\KeyHook64.dllOnlineInstaller.tmp
    File createdC:\Windows\system32\KH.datOnlineInstaller.tmp
    File createdC:\Windows\system32\usp20.dllOnlineInstaller.tmp
    File createdC:\Windows\system32\UP.datOnlineInstaller.tmp
  • Suspicious use of AdjustPrivilegeToken
    OnlineInstaller.exeOnlineInstaller.tmp

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege540OnlineInstaller.exe
    Token: SeLoadDriverPrivilege540OnlineInstaller.exe
    Token: SeDebugPrivilege1708OnlineInstaller.tmp
    Token: SeLoadDriverPrivilege1708OnlineInstaller.tmp
  • Suspicious use of WriteProcessMemory
    OnlineInstaller.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 540 wrote to memory of 1708540OnlineInstaller.exeOnlineInstaller.tmp
    PID 540 wrote to memory of 1708540OnlineInstaller.exeOnlineInstaller.tmp
    PID 540 wrote to memory of 1708540OnlineInstaller.exeOnlineInstaller.tmp
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.exe"
    Checks for any installed AV software in registry
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp
      C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp -install
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:1708
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp

                          MD5

                          4b042bfd9c11ab6a3fb78fa5c34f55d0

                          SHA1

                          b0f506640c205d3fbcfe90bde81e49934b870eab

                          SHA256

                          59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

                          SHA512

                          dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

                        • C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp

                          MD5

                          4b042bfd9c11ab6a3fb78fa5c34f55d0

                          SHA1

                          b0f506640c205d3fbcfe90bde81e49934b870eab

                          SHA256

                          59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

                          SHA512

                          dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

                        • memory/1708-0-0x0000000000000000-mapping.dmp