Analysis
-
max time kernel
106s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2023, 14:57
Behavioral task
behavioral1
Sample
install_windows.exe
Resource
win7-20221111-en
General
-
Target
install_windows.exe
-
Size
268.4MB
-
MD5
e2cddd280ca697fca70460164de219ca
-
SHA1
c660af70e77c6b4e1f1024c1e5fb8f240edb52c4
-
SHA256
44fbfac03f6b951c71960c0e3df9770fe0b17dd4405da33102b2eafd5a566e46
-
SHA512
6bbfff5dd1d88f65778439bf9e5f28e29bd528fbba501e31191085dae8231b197909514f1e07e88b98d5396c844366f428a7f25e4e4fdebb5a897bd17ca08d11
-
SSDEEP
49152:nimxoYQinicQV/uj8NTpGktKDJ3MKtHiVqyylZQa0zeJUnvr02F1jNd:nVxHQinqVWjrKqyMJUHN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5108 6LRRXdXAUP.exe -
resource yara_rule behavioral2/files/0x000b000000021a56-148.dat vmprotect behavioral2/files/0x000b000000021a56-150.dat vmprotect behavioral2/memory/5108-151-0x0000000000A00000-0x000000000100C000-memory.dmp vmprotect -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3616 powershell.exe 3616 powershell.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe 5108 6LRRXdXAUP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2036 wmic.exe Token: SeSecurityPrivilege 2036 wmic.exe Token: SeTakeOwnershipPrivilege 2036 wmic.exe Token: SeLoadDriverPrivilege 2036 wmic.exe Token: SeSystemProfilePrivilege 2036 wmic.exe Token: SeSystemtimePrivilege 2036 wmic.exe Token: SeProfSingleProcessPrivilege 2036 wmic.exe Token: SeIncBasePriorityPrivilege 2036 wmic.exe Token: SeCreatePagefilePrivilege 2036 wmic.exe Token: SeBackupPrivilege 2036 wmic.exe Token: SeRestorePrivilege 2036 wmic.exe Token: SeShutdownPrivilege 2036 wmic.exe Token: SeDebugPrivilege 2036 wmic.exe Token: SeSystemEnvironmentPrivilege 2036 wmic.exe Token: SeRemoteShutdownPrivilege 2036 wmic.exe Token: SeUndockPrivilege 2036 wmic.exe Token: SeManageVolumePrivilege 2036 wmic.exe Token: 33 2036 wmic.exe Token: 34 2036 wmic.exe Token: 35 2036 wmic.exe Token: 36 2036 wmic.exe Token: SeIncreaseQuotaPrivilege 2036 wmic.exe Token: SeSecurityPrivilege 2036 wmic.exe Token: SeTakeOwnershipPrivilege 2036 wmic.exe Token: SeLoadDriverPrivilege 2036 wmic.exe Token: SeSystemProfilePrivilege 2036 wmic.exe Token: SeSystemtimePrivilege 2036 wmic.exe Token: SeProfSingleProcessPrivilege 2036 wmic.exe Token: SeIncBasePriorityPrivilege 2036 wmic.exe Token: SeCreatePagefilePrivilege 2036 wmic.exe Token: SeBackupPrivilege 2036 wmic.exe Token: SeRestorePrivilege 2036 wmic.exe Token: SeShutdownPrivilege 2036 wmic.exe Token: SeDebugPrivilege 2036 wmic.exe Token: SeSystemEnvironmentPrivilege 2036 wmic.exe Token: SeRemoteShutdownPrivilege 2036 wmic.exe Token: SeUndockPrivilege 2036 wmic.exe Token: SeManageVolumePrivilege 2036 wmic.exe Token: 33 2036 wmic.exe Token: 34 2036 wmic.exe Token: 35 2036 wmic.exe Token: 36 2036 wmic.exe Token: SeIncreaseQuotaPrivilege 3524 WMIC.exe Token: SeSecurityPrivilege 3524 WMIC.exe Token: SeTakeOwnershipPrivilege 3524 WMIC.exe Token: SeLoadDriverPrivilege 3524 WMIC.exe Token: SeSystemProfilePrivilege 3524 WMIC.exe Token: SeSystemtimePrivilege 3524 WMIC.exe Token: SeProfSingleProcessPrivilege 3524 WMIC.exe Token: SeIncBasePriorityPrivilege 3524 WMIC.exe Token: SeCreatePagefilePrivilege 3524 WMIC.exe Token: SeBackupPrivilege 3524 WMIC.exe Token: SeRestorePrivilege 3524 WMIC.exe Token: SeShutdownPrivilege 3524 WMIC.exe Token: SeDebugPrivilege 3524 WMIC.exe Token: SeSystemEnvironmentPrivilege 3524 WMIC.exe Token: SeRemoteShutdownPrivilege 3524 WMIC.exe Token: SeUndockPrivilege 3524 WMIC.exe Token: SeManageVolumePrivilege 3524 WMIC.exe Token: 33 3524 WMIC.exe Token: 34 3524 WMIC.exe Token: 35 3524 WMIC.exe Token: 36 3524 WMIC.exe Token: SeIncreaseQuotaPrivilege 3524 WMIC.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2036 1848 install_windows.exe 82 PID 1848 wrote to memory of 2036 1848 install_windows.exe 82 PID 1848 wrote to memory of 2036 1848 install_windows.exe 82 PID 1848 wrote to memory of 636 1848 install_windows.exe 84 PID 1848 wrote to memory of 636 1848 install_windows.exe 84 PID 1848 wrote to memory of 636 1848 install_windows.exe 84 PID 636 wrote to memory of 3524 636 cmd.exe 86 PID 636 wrote to memory of 3524 636 cmd.exe 86 PID 636 wrote to memory of 3524 636 cmd.exe 86 PID 1848 wrote to memory of 3572 1848 install_windows.exe 87 PID 1848 wrote to memory of 3572 1848 install_windows.exe 87 PID 1848 wrote to memory of 3572 1848 install_windows.exe 87 PID 3572 wrote to memory of 1748 3572 cmd.exe 89 PID 3572 wrote to memory of 1748 3572 cmd.exe 89 PID 3572 wrote to memory of 1748 3572 cmd.exe 89 PID 1848 wrote to memory of 3616 1848 install_windows.exe 90 PID 1848 wrote to memory of 3616 1848 install_windows.exe 90 PID 1848 wrote to memory of 3616 1848 install_windows.exe 90 PID 3616 wrote to memory of 5108 3616 powershell.exe 92 PID 3616 wrote to memory of 5108 3616 powershell.exe 92 PID 3616 wrote to memory of 5108 3616 powershell.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\install_windows.exe"C:\Users\Admin\AppData\Local\Temp\install_windows.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:1748
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "" "start-process C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe"C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5108
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD59234d32cf8a0a0d2e510f10e41788965
SHA11214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA2569d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA5126bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1
-
Filesize
3.5MB
MD59234d32cf8a0a0d2e510f10e41788965
SHA11214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA2569d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA5126bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1