Analysis
-
max time kernel
243s -
max time network
285s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:20
Static task
static1
Behavioral task
behavioral1
Sample
Antl-Setup-v2.05.83_x64(1).exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Antl-Setup-v2.05.83_x64(1).exe
Resource
win10v2004-20221111-en
General
-
Target
Antl-Setup-v2.05.83_x64(1).exe
-
Size
97.2MB
-
MD5
d1d5bddab1d1985e1dee0696b7c9c1fa
-
SHA1
fb73395cfd6f7f37df8bb20020d0c5bf6fe9daad
-
SHA256
f920ffbbd07b725e4318bc71366b30f2ad01b40cd6250294f54badf28e93cefd
-
SHA512
1e823e00e3e5d58712d6c52c44427bcd6ff9337dfcdc92d6de6c8463aa450b2886cba0f71258598a4c0246254de02b4aadeb15a8c9c5275b91195401340160db
-
SSDEEP
3145728:v2LPmPwJOHt9eFpc13E1oD8mF5TvYrdknEP5g16:uziwc8pc13OMs5Q6
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
Antl.exeAntl.exemini_installer.exesetup.exesetup.exepid process 1196 Antl.exe 832 Antl.exe 956 mini_installer.exe 1620 setup.exe 2020 setup.exe -
Loads dropped DLL 12 IoCs
Processes:
Antl-Setup-v2.05.83_x64(1).exeAntl.exemini_installer.exesetup.exepid process 964 Antl-Setup-v2.05.83_x64(1).exe 964 Antl-Setup-v2.05.83_x64(1).exe 964 Antl-Setup-v2.05.83_x64(1).exe 964 Antl-Setup-v2.05.83_x64(1).exe 1204 1204 1204 1204 1196 Antl.exe 964 Antl-Setup-v2.05.83_x64(1).exe 956 mini_installer.exe 1620 setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 12 IoCs
Processes:
Antl-Setup-v2.05.83_x64(1).exemini_installer.exedescription ioc process File created C:\Program Files (x86)\Antl\Antl.ico Antl-Setup-v2.05.83_x64(1).exe File created C:\Program Files (x86)\Antl\uninst.exe Antl-Setup-v2.05.83_x64(1).exe File created C:\Program Files (x86)\Antl\browser\SwitchyOmega_Chromium.zip Antl-Setup-v2.05.83_x64(1).exe File created C:\Program Files (x86)\Antl\browser\uBlock0_1.27.10.chromium.zip Antl-Setup-v2.05.83_x64(1).exe File created C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\setup.exe mini_installer.exe File created C:\Program Files (x86)\Antl\Antl.exe Antl-Setup-v2.05.83_x64(1).exe File created C:\Program Files (x86)\Antl\uantl_x64.dll Antl-Setup-v2.05.83_x64(1).exe File created C:\Program Files (x86)\Antl\pack.data.new Antl-Setup-v2.05.83_x64(1).exe File created C:\Program Files (x86)\Antl\browser\ChromeSetup.exe Antl-Setup-v2.05.83_x64(1).exe File created C:\Program Files (x86)\Antl\browser\mini_installer.exe Antl-Setup-v2.05.83_x64(1).exe File created C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\CHROME.PACKED.7Z mini_installer.exe File created C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\SETUP.EX_ mini_installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Antl.exeAntl.exepid process 1196 Antl.exe 1196 Antl.exe 832 Antl.exe 832 Antl.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Antl.exeAntl.exemini_installer.exedescription pid process Token: SeDebugPrivilege 1196 Antl.exe Token: SeDebugPrivilege 832 Antl.exe Token: 33 956 mini_installer.exe Token: SeIncBasePriorityPrivilege 956 mini_installer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Antl.exepid process 1196 Antl.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Antl.exepid process 1196 Antl.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Antl-Setup-v2.05.83_x64(1).exemini_installer.exesetup.exedescription pid process target process PID 964 wrote to memory of 1196 964 Antl-Setup-v2.05.83_x64(1).exe Antl.exe PID 964 wrote to memory of 1196 964 Antl-Setup-v2.05.83_x64(1).exe Antl.exe PID 964 wrote to memory of 1196 964 Antl-Setup-v2.05.83_x64(1).exe Antl.exe PID 964 wrote to memory of 1196 964 Antl-Setup-v2.05.83_x64(1).exe Antl.exe PID 964 wrote to memory of 956 964 Antl-Setup-v2.05.83_x64(1).exe mini_installer.exe PID 964 wrote to memory of 956 964 Antl-Setup-v2.05.83_x64(1).exe mini_installer.exe PID 964 wrote to memory of 956 964 Antl-Setup-v2.05.83_x64(1).exe mini_installer.exe PID 964 wrote to memory of 956 964 Antl-Setup-v2.05.83_x64(1).exe mini_installer.exe PID 956 wrote to memory of 1620 956 mini_installer.exe setup.exe PID 956 wrote to memory of 1620 956 mini_installer.exe setup.exe PID 956 wrote to memory of 1620 956 mini_installer.exe setup.exe PID 1620 wrote to memory of 2020 1620 setup.exe setup.exe PID 1620 wrote to memory of 2020 1620 setup.exe setup.exe PID 1620 wrote to memory of 2020 1620 setup.exe setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Antl-Setup-v2.05.83_x64(1).exe"C:\Users\Admin\AppData\Local\Temp\Antl-Setup-v2.05.83_x64(1).exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Antl\Antl.exe"C:\Program Files (x86)\Antl\Antl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Antl\browser\mini_installer.exe"C:\Program Files (x86)\Antl\browser\mini_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\setup.exe"C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\CHROME.PACKED.7Z"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\setup.exe"C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromium\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromium --annotation=ver=92.0.4501.1 --initial-client-data=0x12c,0x130,0x134,0x100,0x138,0x1400e0380,0x1400e0390,0x1400e03a04⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Antl\Antl.exe"C:\Program Files (x86)\Antl\Antl.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Antl\Antl.exeFilesize
14.3MB
MD5f7b78b719d70451185eca4b7e7dfea82
SHA10b6ce5c2a7a860b269d1bd9190f6f82894e84660
SHA256e79f07000dc720ebf2dbd607f245b9ea26f1bd7f2d482c4cf06128aad9bc1c21
SHA512074de5f74bb7de6b40ac57908b0c6ff201b0283a5307d00256ddb5e114b7c34a4dcc1f470a826e26f4d5083581e1471e2dd7e470485a67ebca66651bcdb09a6f
-
C:\Program Files (x86)\Antl\Antl.exeFilesize
14.3MB
MD5f7b78b719d70451185eca4b7e7dfea82
SHA10b6ce5c2a7a860b269d1bd9190f6f82894e84660
SHA256e79f07000dc720ebf2dbd607f245b9ea26f1bd7f2d482c4cf06128aad9bc1c21
SHA512074de5f74bb7de6b40ac57908b0c6ff201b0283a5307d00256ddb5e114b7c34a4dcc1f470a826e26f4d5083581e1471e2dd7e470485a67ebca66651bcdb09a6f
-
C:\Program Files (x86)\Antl\Antl.exeFilesize
14.3MB
MD5f7b78b719d70451185eca4b7e7dfea82
SHA10b6ce5c2a7a860b269d1bd9190f6f82894e84660
SHA256e79f07000dc720ebf2dbd607f245b9ea26f1bd7f2d482c4cf06128aad9bc1c21
SHA512074de5f74bb7de6b40ac57908b0c6ff201b0283a5307d00256ddb5e114b7c34a4dcc1f470a826e26f4d5083581e1471e2dd7e470485a67ebca66651bcdb09a6f
-
C:\Program Files (x86)\Antl\antl.icoFilesize
34KB
MD5a5cc58a76f92379a424408c49b3b8682
SHA1195511bb78343be48503af35b780cd64404554f4
SHA256f610f959042f6762f597039188cd5ed117fb93602adeae4af43b33bec8fa5597
SHA512e2f339e3fb424ffa27ae372f7248c9a4322402d5c05c937dff8fb3d494f685fc9613718dc34e1e007ac7c3f179604002e5d3051a298f3fffdf3f9c29143268a6
-
C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\CHROME.PACKED.7ZFilesize
62.8MB
MD525867f2a6cd55a22bf3e5516a662a751
SHA158d9084d62018a9de7942e2ab76e74172f35035b
SHA2567549daa0f0a1cc0156c94a35f65d9139bd55d8a432098aae13c8ed03b301f227
SHA5125fa52b47900369fdb5afe0a3b47e35f62e847eb39553cd8eba78ed8c7eaa5d71f5b46370e790f401f4dd28c2ec7857e80bef068d89a5d1c9eac6cbe3f2048df5
-
C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\setup.exeFilesize
2.4MB
MD58de9dac80bd32a7150417f5c98ab00f2
SHA112bd67eb836b99ce462a5d9ce033e5eba360277b
SHA256b0706c37b69c897df9368259a98f64bffbfcca388e4db5553efbf29250ec913d
SHA5124565ed49a1a1c8231970984f9d9bf65874c2f4a3cdeb80518f39181dbd744b13457bab8bcd0f8acd90b1db5f6199216497d9f3b919ec5c22c8aeaa88daed3851
-
C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\setup.exeFilesize
2.4MB
MD58de9dac80bd32a7150417f5c98ab00f2
SHA112bd67eb836b99ce462a5d9ce033e5eba360277b
SHA256b0706c37b69c897df9368259a98f64bffbfcca388e4db5553efbf29250ec913d
SHA5124565ed49a1a1c8231970984f9d9bf65874c2f4a3cdeb80518f39181dbd744b13457bab8bcd0f8acd90b1db5f6199216497d9f3b919ec5c22c8aeaa88daed3851
-
C:\Program Files (x86)\Antl\browser\CR_8649C.tmp\setup.exeFilesize
2.4MB
MD58de9dac80bd32a7150417f5c98ab00f2
SHA112bd67eb836b99ce462a5d9ce033e5eba360277b
SHA256b0706c37b69c897df9368259a98f64bffbfcca388e4db5553efbf29250ec913d
SHA5124565ed49a1a1c8231970984f9d9bf65874c2f4a3cdeb80518f39181dbd744b13457bab8bcd0f8acd90b1db5f6199216497d9f3b919ec5c22c8aeaa88daed3851
-
C:\Program Files (x86)\Antl\browser\mini_installer.exeFilesize
63.9MB
MD5a1f7f2dd513d26779f17cd056ba3ba5c
SHA149d2e2561b51f393c2d6bc189bd6efa1097e6558
SHA256e7483a855fc45987f51caea726bd6192ef8570f8f87fd1c99db5ed549b121dd0
SHA512ad67c847345dc616674a5f617862b2ffda12a523f729cbf35b870f39916b9ca1537ae11f725e37934ce56c49aad46b43824eee75ebacfd5947a8f59856a59168
-
C:\Program Files (x86)\Antl\pack.data.newFilesize
7.3MB
MD51155c75942d5c73df696033036c7b777
SHA11f08b5c15ac13d8094e45d27c615dab3107a3dd3
SHA256945fcc283b98dd528a5140bc54b6656d380debead665a5cfaeec60c301945b09
SHA512b0e21b96afcdb4a243e2a9f6da653b0f984d0978a3f8e7da41dc9431707a77cf715f12adaeef692e1439c99dbdc136034d0bc2f5f5e37de57c194bb575c8de01
-
C:\Program Files (x86)\Antl\uantl_x64.dllFilesize
39.5MB
MD57280aa101b916d99c1fa3efd4f93534c
SHA1dc3d3077614e336073d01694ccffcb21688a549b
SHA2563530c7d86dc66d7b3f2404c9cda58f09d5516f08e97d90ddc3f1cb933e0759e3
SHA5125c5f6484bc587e5bd58f6f2f8fd3c8d7745207302d9645a1abc79b5d9e416d05527f3da8307d829364988ff15b9a1b387d8371e1bc342a25a69ad03d1417cbdd
-
C:\Users\Admin\.antl\config.iniFilesize
69B
MD508827aa46d3bce140a6b85945c4cc731
SHA167c4b4ab90c34b754c6e091424accfd0c64d152d
SHA256c3483321aa4df8cd399ed247d3063708d81466ffb6bde788969e4c1d475ffb04
SHA5120a8bc6095d70670531a471007b730da31fa57b074b2c6866063234b7de9b225246281a02ba6cff38e62280e05e5a55093cf987a23d56224148d497f32b8f8da2
-
C:\Users\Admin\AppData\Local\Chromium\User Data\Crashpad\settings.datFilesize
40B
MD55641f9a2d33118b060f928174963c75c
SHA1d6919c08039f4c927c36657bd3ca4c56884e53ac
SHA256eeb9ec5212b7f06505d50af29e9a38767e88c6e013046df8a45fe73d5ef271a7
SHA512aaac59d96c957b7412a5fe39dec74894bf70ee4625ff7b56b871f7e00ed69726ba55acf07feedd9fc7fdfb7cc847c116776782264ebef07f16b90f149bffd0e7
-
\Program Files (x86)\Antl\Antl.exeFilesize
14.3MB
MD5f7b78b719d70451185eca4b7e7dfea82
SHA10b6ce5c2a7a860b269d1bd9190f6f82894e84660
SHA256e79f07000dc720ebf2dbd607f245b9ea26f1bd7f2d482c4cf06128aad9bc1c21
SHA512074de5f74bb7de6b40ac57908b0c6ff201b0283a5307d00256ddb5e114b7c34a4dcc1f470a826e26f4d5083581e1471e2dd7e470485a67ebca66651bcdb09a6f
-
\Program Files (x86)\Antl\Antl.exeFilesize
14.3MB
MD5f7b78b719d70451185eca4b7e7dfea82
SHA10b6ce5c2a7a860b269d1bd9190f6f82894e84660
SHA256e79f07000dc720ebf2dbd607f245b9ea26f1bd7f2d482c4cf06128aad9bc1c21
SHA512074de5f74bb7de6b40ac57908b0c6ff201b0283a5307d00256ddb5e114b7c34a4dcc1f470a826e26f4d5083581e1471e2dd7e470485a67ebca66651bcdb09a6f
-
\Program Files (x86)\Antl\Antl.exeFilesize
14.3MB
MD5f7b78b719d70451185eca4b7e7dfea82
SHA10b6ce5c2a7a860b269d1bd9190f6f82894e84660
SHA256e79f07000dc720ebf2dbd607f245b9ea26f1bd7f2d482c4cf06128aad9bc1c21
SHA512074de5f74bb7de6b40ac57908b0c6ff201b0283a5307d00256ddb5e114b7c34a4dcc1f470a826e26f4d5083581e1471e2dd7e470485a67ebca66651bcdb09a6f
-
\Program Files (x86)\Antl\Antl.exeFilesize
14.3MB
MD5f7b78b719d70451185eca4b7e7dfea82
SHA10b6ce5c2a7a860b269d1bd9190f6f82894e84660
SHA256e79f07000dc720ebf2dbd607f245b9ea26f1bd7f2d482c4cf06128aad9bc1c21
SHA512074de5f74bb7de6b40ac57908b0c6ff201b0283a5307d00256ddb5e114b7c34a4dcc1f470a826e26f4d5083581e1471e2dd7e470485a67ebca66651bcdb09a6f
-
\Program Files (x86)\Antl\Antl.exeFilesize
14.3MB
MD5f7b78b719d70451185eca4b7e7dfea82
SHA10b6ce5c2a7a860b269d1bd9190f6f82894e84660
SHA256e79f07000dc720ebf2dbd607f245b9ea26f1bd7f2d482c4cf06128aad9bc1c21
SHA512074de5f74bb7de6b40ac57908b0c6ff201b0283a5307d00256ddb5e114b7c34a4dcc1f470a826e26f4d5083581e1471e2dd7e470485a67ebca66651bcdb09a6f
-
\Program Files (x86)\Antl\Antl.exeFilesize
14.3MB
MD5f7b78b719d70451185eca4b7e7dfea82
SHA10b6ce5c2a7a860b269d1bd9190f6f82894e84660
SHA256e79f07000dc720ebf2dbd607f245b9ea26f1bd7f2d482c4cf06128aad9bc1c21
SHA512074de5f74bb7de6b40ac57908b0c6ff201b0283a5307d00256ddb5e114b7c34a4dcc1f470a826e26f4d5083581e1471e2dd7e470485a67ebca66651bcdb09a6f
-
\Program Files (x86)\Antl\browser\CR_8649C.tmp\setup.exeFilesize
2.4MB
MD58de9dac80bd32a7150417f5c98ab00f2
SHA112bd67eb836b99ce462a5d9ce033e5eba360277b
SHA256b0706c37b69c897df9368259a98f64bffbfcca388e4db5553efbf29250ec913d
SHA5124565ed49a1a1c8231970984f9d9bf65874c2f4a3cdeb80518f39181dbd744b13457bab8bcd0f8acd90b1db5f6199216497d9f3b919ec5c22c8aeaa88daed3851
-
\Program Files (x86)\Antl\browser\CR_8649C.tmp\setup.exeFilesize
2.4MB
MD58de9dac80bd32a7150417f5c98ab00f2
SHA112bd67eb836b99ce462a5d9ce033e5eba360277b
SHA256b0706c37b69c897df9368259a98f64bffbfcca388e4db5553efbf29250ec913d
SHA5124565ed49a1a1c8231970984f9d9bf65874c2f4a3cdeb80518f39181dbd744b13457bab8bcd0f8acd90b1db5f6199216497d9f3b919ec5c22c8aeaa88daed3851
-
\Program Files (x86)\Antl\browser\mini_installer.exeFilesize
63.9MB
MD5a1f7f2dd513d26779f17cd056ba3ba5c
SHA149d2e2561b51f393c2d6bc189bd6efa1097e6558
SHA256e7483a855fc45987f51caea726bd6192ef8570f8f87fd1c99db5ed549b121dd0
SHA512ad67c847345dc616674a5f617862b2ffda12a523f729cbf35b870f39916b9ca1537ae11f725e37934ce56c49aad46b43824eee75ebacfd5947a8f59856a59168
-
\Program Files (x86)\Antl\uantl_x64.dllFilesize
39.5MB
MD57280aa101b916d99c1fa3efd4f93534c
SHA1dc3d3077614e336073d01694ccffcb21688a549b
SHA2563530c7d86dc66d7b3f2404c9cda58f09d5516f08e97d90ddc3f1cb933e0759e3
SHA5125c5f6484bc587e5bd58f6f2f8fd3c8d7745207302d9645a1abc79b5d9e416d05527f3da8307d829364988ff15b9a1b387d8371e1bc342a25a69ad03d1417cbdd
-
\Users\Admin\AppData\Local\Temp\nsz47CC.tmp\System.dllFilesize
29KB
MD526c8a92678f1b970ac2a700bb844c309
SHA1c821a5980c31b0b35f1505cde836d6769f45e3a3
SHA2562a7b5d1cab96a5280b0694d0ed54510129626a1ba36a51bd34d546972b7d18b8
SHA512fba6e371853fd6c27097eb7cce7ffc59d71e4f0a9b5e55de06472d094b70c44a409bd82f39d9a27a814e826ab8468c59e947401a3c3ead1f057cbac236588860
-
\Users\Admin\AppData\Local\Temp\nsz47CC.tmp\nsDialogs.dllFilesize
14KB
MD58f45e78d9d02ca8a9f9c274a8bfe2a57
SHA19b3838e1d2d4fbc1c84e1252747e96aa1b223d83
SHA25678f9594721361fd3415b8c5194f9c9b87c580d6a70ddb95f2c4743c61ce68ebe
SHA512125f1bcf833e0c233ebee552c164d9726769f06e5163467888abea08048fdae60a94b903ef97ba82ca9cf684f3c027d9605d54e9efe794df3e452f9b20e4ca96
-
memory/956-72-0x0000000000000000-mapping.dmp
-
memory/964-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1196-82-0x000001BAC5340000-0x000001BAC5470000-memory.dmpFilesize
1.2MB
-
memory/1196-63-0x0000000000000000-mapping.dmp
-
memory/1196-85-0x000001C29BB42000-0x000001C29BB7F000-memory.dmpFilesize
244KB
-
memory/1196-86-0x000001C29BB42000-0x000001C29BB7F000-memory.dmpFilesize
244KB
-
memory/1196-87-0x000001C29BB42000-0x000001C29BB7F000-memory.dmpFilesize
244KB
-
memory/1620-76-0x0000000000000000-mapping.dmp
-
memory/2020-80-0x0000000000000000-mapping.dmp