Analysis

  • max time kernel
    25s
  • max time network
    80s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2023, 14:57

General

  • Target

    install_windows.exe

  • Size

    268.4MB

  • MD5

    e2cddd280ca697fca70460164de219ca

  • SHA1

    c660af70e77c6b4e1f1024c1e5fb8f240edb52c4

  • SHA256

    44fbfac03f6b951c71960c0e3df9770fe0b17dd4405da33102b2eafd5a566e46

  • SHA512

    6bbfff5dd1d88f65778439bf9e5f28e29bd528fbba501e31191085dae8231b197909514f1e07e88b98d5396c844366f428a7f25e4e4fdebb5a897bd17ca08d11

  • SSDEEP

    49152:nimxoYQinicQV/uj8NTpGktKDJ3MKtHiVqyylZQa0zeJUnvr02F1jNd:nVxHQinqVWjrKqyMJUHN

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\install_windows.exe
    "C:\Users\Admin\AppData\Local\Temp\install_windows.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1320
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1520
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C "wmic cpu get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic cpu get name
        3⤵
          PID:1060
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
          "C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:1660

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

      Filesize

      3.5MB

      MD5

      9234d32cf8a0a0d2e510f10e41788965

      SHA1

      1214d32602efb4a7531edf8a4c3e4aecaeb344bf

      SHA256

      9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b

      SHA512

      6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

    • C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

      Filesize

      3.5MB

      MD5

      9234d32cf8a0a0d2e510f10e41788965

      SHA1

      1214d32602efb4a7531edf8a4c3e4aecaeb344bf

      SHA256

      9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b

      SHA512

      6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

    • \Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

      Filesize

      3.5MB

      MD5

      9234d32cf8a0a0d2e510f10e41788965

      SHA1

      1214d32602efb4a7531edf8a4c3e4aecaeb344bf

      SHA256

      9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b

      SHA512

      6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

    • \Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

      Filesize

      3.5MB

      MD5

      9234d32cf8a0a0d2e510f10e41788965

      SHA1

      1214d32602efb4a7531edf8a4c3e4aecaeb344bf

      SHA256

      9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b

      SHA512

      6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

    • \Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

      Filesize

      3.5MB

      MD5

      9234d32cf8a0a0d2e510f10e41788965

      SHA1

      1214d32602efb4a7531edf8a4c3e4aecaeb344bf

      SHA256

      9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b

      SHA512

      6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

    • memory/1212-54-0x00000000761E1000-0x00000000761E3000-memory.dmp

      Filesize

      8KB

    • memory/1360-75-0x0000000073CE0000-0x000000007428B000-memory.dmp

      Filesize

      5.7MB

    • memory/1360-67-0x0000000073CE0000-0x000000007428B000-memory.dmp

      Filesize

      5.7MB

    • memory/1660-76-0x0000000000EC0000-0x00000000014CC000-memory.dmp

      Filesize

      6.0MB