Resubmissions

27-02-2023 04:37

230227-e83rpsbf3s 8

27-02-2023 04:25

230227-e2b1eabe9v 3

27-02-2023 04:20

230227-ex6n8abg69 8

27-02-2023 04:14

230227-ets9qabe8t 4

12-02-2023 12:22

230212-pkc69adh37 8

Analysis

  • max time kernel
    201s
  • max time network
    251s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2023 12:22

General

  • Target

    Installer-x64bit.exe

  • Size

    750.0MB

  • MD5

    926183968d138d7486529820c768c3b5

  • SHA1

    8058b2204ebdcbf19e888a628c94e201b108b58d

  • SHA256

    a2465fc5059ea57c7b64b1dc01caf8735422a005ddb7fabeddfa3cbc89085ccf

  • SHA512

    40b2b026c4058fd5d2c39de5b0d28fc64aca6df6a3610a7f332d2d2674ea5c6f85ca6a88fb9b6d53b47fbd816d6ebaea5e8b916c62b109012746fe075c90a93a

  • SSDEEP

    6144:0WQoTBfjc6gSNv0owMEbjlqOVPrevcfK2fqcz1IOq:0WQ4OMc0OVPe2fx14

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Installer-x64bit.exe
    "C:\Users\Admin\AppData\Local\Temp\Installer-x64bit.exe"
    1⤵
    • Checks computer location settings
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Installer-x64bit.exe" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:3460

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1832-154-0x0000000000000000-mapping.dmp
  • memory/1860-133-0x0000000002560000-0x0000000002788000-memory.dmp
    Filesize

    2.2MB

  • memory/1860-132-0x0000000002560000-0x0000000002788000-memory.dmp
    Filesize

    2.2MB

  • memory/1860-134-0x0000000002560000-0x0000000002788000-memory.dmp
    Filesize

    2.2MB

  • memory/1860-135-0x0000000002560000-0x0000000002788000-memory.dmp
    Filesize

    2.2MB

  • memory/1860-136-0x0000000061E00000-0x0000000061EF3000-memory.dmp
    Filesize

    972KB

  • memory/1860-155-0x0000000002560000-0x0000000002788000-memory.dmp
    Filesize

    2.2MB

  • memory/3460-156-0x0000000000000000-mapping.dmp