Analysis
-
max time kernel
25s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20/01/2023, 14:57
Behavioral task
behavioral1
Sample
install_windows.exe
Resource
win7-20221111-en
General
-
Target
install_windows.exe
-
Size
268.4MB
-
MD5
e2cddd280ca697fca70460164de219ca
-
SHA1
c660af70e77c6b4e1f1024c1e5fb8f240edb52c4
-
SHA256
44fbfac03f6b951c71960c0e3df9770fe0b17dd4405da33102b2eafd5a566e46
-
SHA512
6bbfff5dd1d88f65778439bf9e5f28e29bd528fbba501e31191085dae8231b197909514f1e07e88b98d5396c844366f428a7f25e4e4fdebb5a897bd17ca08d11
-
SSDEEP
49152:nimxoYQinicQV/uj8NTpGktKDJ3MKtHiVqyylZQa0zeJUnvr02F1jNd:nVxHQinqVWjrKqyMJUHN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1660 jR0TQxnUl6.exe -
resource yara_rule behavioral1/files/0x00160000000122f8-68.dat vmprotect behavioral1/files/0x00160000000122f8-69.dat vmprotect behavioral1/files/0x00160000000122f8-71.dat vmprotect behavioral1/files/0x00160000000122f8-74.dat vmprotect behavioral1/files/0x00160000000122f8-73.dat vmprotect behavioral1/memory/1660-76-0x0000000000EC0000-0x00000000014CC000-memory.dmp vmprotect -
Loads dropped DLL 3 IoCs
pid Process 1360 powershell.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1360 powershell.exe 1360 powershell.exe 1360 powershell.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe 1660 jR0TQxnUl6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1320 wmic.exe Token: SeSecurityPrivilege 1320 wmic.exe Token: SeTakeOwnershipPrivilege 1320 wmic.exe Token: SeLoadDriverPrivilege 1320 wmic.exe Token: SeSystemProfilePrivilege 1320 wmic.exe Token: SeSystemtimePrivilege 1320 wmic.exe Token: SeProfSingleProcessPrivilege 1320 wmic.exe Token: SeIncBasePriorityPrivilege 1320 wmic.exe Token: SeCreatePagefilePrivilege 1320 wmic.exe Token: SeBackupPrivilege 1320 wmic.exe Token: SeRestorePrivilege 1320 wmic.exe Token: SeShutdownPrivilege 1320 wmic.exe Token: SeDebugPrivilege 1320 wmic.exe Token: SeSystemEnvironmentPrivilege 1320 wmic.exe Token: SeRemoteShutdownPrivilege 1320 wmic.exe Token: SeUndockPrivilege 1320 wmic.exe Token: SeManageVolumePrivilege 1320 wmic.exe Token: 33 1320 wmic.exe Token: 34 1320 wmic.exe Token: 35 1320 wmic.exe Token: SeIncreaseQuotaPrivilege 1320 wmic.exe Token: SeSecurityPrivilege 1320 wmic.exe Token: SeTakeOwnershipPrivilege 1320 wmic.exe Token: SeLoadDriverPrivilege 1320 wmic.exe Token: SeSystemProfilePrivilege 1320 wmic.exe Token: SeSystemtimePrivilege 1320 wmic.exe Token: SeProfSingleProcessPrivilege 1320 wmic.exe Token: SeIncBasePriorityPrivilege 1320 wmic.exe Token: SeCreatePagefilePrivilege 1320 wmic.exe Token: SeBackupPrivilege 1320 wmic.exe Token: SeRestorePrivilege 1320 wmic.exe Token: SeShutdownPrivilege 1320 wmic.exe Token: SeDebugPrivilege 1320 wmic.exe Token: SeSystemEnvironmentPrivilege 1320 wmic.exe Token: SeRemoteShutdownPrivilege 1320 wmic.exe Token: SeUndockPrivilege 1320 wmic.exe Token: SeManageVolumePrivilege 1320 wmic.exe Token: 33 1320 wmic.exe Token: 34 1320 wmic.exe Token: 35 1320 wmic.exe Token: SeIncreaseQuotaPrivilege 1520 WMIC.exe Token: SeSecurityPrivilege 1520 WMIC.exe Token: SeTakeOwnershipPrivilege 1520 WMIC.exe Token: SeLoadDriverPrivilege 1520 WMIC.exe Token: SeSystemProfilePrivilege 1520 WMIC.exe Token: SeSystemtimePrivilege 1520 WMIC.exe Token: SeProfSingleProcessPrivilege 1520 WMIC.exe Token: SeIncBasePriorityPrivilege 1520 WMIC.exe Token: SeCreatePagefilePrivilege 1520 WMIC.exe Token: SeBackupPrivilege 1520 WMIC.exe Token: SeRestorePrivilege 1520 WMIC.exe Token: SeShutdownPrivilege 1520 WMIC.exe Token: SeDebugPrivilege 1520 WMIC.exe Token: SeSystemEnvironmentPrivilege 1520 WMIC.exe Token: SeRemoteShutdownPrivilege 1520 WMIC.exe Token: SeUndockPrivilege 1520 WMIC.exe Token: SeManageVolumePrivilege 1520 WMIC.exe Token: 33 1520 WMIC.exe Token: 34 1520 WMIC.exe Token: 35 1520 WMIC.exe Token: SeIncreaseQuotaPrivilege 1520 WMIC.exe Token: SeSecurityPrivilege 1520 WMIC.exe Token: SeTakeOwnershipPrivilege 1520 WMIC.exe Token: SeLoadDriverPrivilege 1520 WMIC.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1320 1212 install_windows.exe 28 PID 1212 wrote to memory of 1320 1212 install_windows.exe 28 PID 1212 wrote to memory of 1320 1212 install_windows.exe 28 PID 1212 wrote to memory of 1320 1212 install_windows.exe 28 PID 1212 wrote to memory of 1320 1212 install_windows.exe 28 PID 1212 wrote to memory of 1320 1212 install_windows.exe 28 PID 1212 wrote to memory of 1320 1212 install_windows.exe 28 PID 1212 wrote to memory of 1304 1212 install_windows.exe 31 PID 1212 wrote to memory of 1304 1212 install_windows.exe 31 PID 1212 wrote to memory of 1304 1212 install_windows.exe 31 PID 1212 wrote to memory of 1304 1212 install_windows.exe 31 PID 1212 wrote to memory of 1304 1212 install_windows.exe 31 PID 1212 wrote to memory of 1304 1212 install_windows.exe 31 PID 1212 wrote to memory of 1304 1212 install_windows.exe 31 PID 1304 wrote to memory of 1520 1304 cmd.exe 33 PID 1304 wrote to memory of 1520 1304 cmd.exe 33 PID 1304 wrote to memory of 1520 1304 cmd.exe 33 PID 1304 wrote to memory of 1520 1304 cmd.exe 33 PID 1304 wrote to memory of 1520 1304 cmd.exe 33 PID 1304 wrote to memory of 1520 1304 cmd.exe 33 PID 1304 wrote to memory of 1520 1304 cmd.exe 33 PID 1212 wrote to memory of 1732 1212 install_windows.exe 34 PID 1212 wrote to memory of 1732 1212 install_windows.exe 34 PID 1212 wrote to memory of 1732 1212 install_windows.exe 34 PID 1212 wrote to memory of 1732 1212 install_windows.exe 34 PID 1212 wrote to memory of 1732 1212 install_windows.exe 34 PID 1212 wrote to memory of 1732 1212 install_windows.exe 34 PID 1212 wrote to memory of 1732 1212 install_windows.exe 34 PID 1732 wrote to memory of 1060 1732 cmd.exe 36 PID 1732 wrote to memory of 1060 1732 cmd.exe 36 PID 1732 wrote to memory of 1060 1732 cmd.exe 36 PID 1732 wrote to memory of 1060 1732 cmd.exe 36 PID 1732 wrote to memory of 1060 1732 cmd.exe 36 PID 1732 wrote to memory of 1060 1732 cmd.exe 36 PID 1732 wrote to memory of 1060 1732 cmd.exe 36 PID 1212 wrote to memory of 1360 1212 install_windows.exe 37 PID 1212 wrote to memory of 1360 1212 install_windows.exe 37 PID 1212 wrote to memory of 1360 1212 install_windows.exe 37 PID 1212 wrote to memory of 1360 1212 install_windows.exe 37 PID 1212 wrote to memory of 1360 1212 install_windows.exe 37 PID 1212 wrote to memory of 1360 1212 install_windows.exe 37 PID 1212 wrote to memory of 1360 1212 install_windows.exe 37 PID 1360 wrote to memory of 1660 1360 powershell.exe 39 PID 1360 wrote to memory of 1660 1360 powershell.exe 39 PID 1360 wrote to memory of 1660 1360 powershell.exe 39 PID 1360 wrote to memory of 1660 1360 powershell.exe 39 PID 1360 wrote to memory of 1660 1360 powershell.exe 39 PID 1360 wrote to memory of 1660 1360 powershell.exe 39 PID 1360 wrote to memory of 1660 1360 powershell.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\install_windows.exe"C:\Users\Admin\AppData\Local\Temp\install_windows.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:1060
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "" "start-process C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe"C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1660
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD59234d32cf8a0a0d2e510f10e41788965
SHA11214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA2569d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA5126bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1
-
Filesize
3.5MB
MD59234d32cf8a0a0d2e510f10e41788965
SHA11214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA2569d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA5126bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1
-
Filesize
3.5MB
MD59234d32cf8a0a0d2e510f10e41788965
SHA11214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA2569d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA5126bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1
-
Filesize
3.5MB
MD59234d32cf8a0a0d2e510f10e41788965
SHA11214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA2569d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA5126bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1
-
Filesize
3.5MB
MD59234d32cf8a0a0d2e510f10e41788965
SHA11214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA2569d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA5126bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1