Resubmissions
27-02-2023 04:37
230227-e83rpsbf3s 827-02-2023 04:25
230227-e2b1eabe9v 327-02-2023 04:20
230227-ex6n8abg69 827-02-2023 04:14
230227-ets9qabe8t 412-02-2023 12:22
230212-pkc69adh37 8Analysis
-
max time kernel
201s -
max time network
251s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2023 12:22
Static task
static1
Behavioral task
behavioral1
Sample
Installer-x64bit.exe
Resource
win7-20221111-en
General
-
Target
Installer-x64bit.exe
-
Size
750.0MB
-
MD5
926183968d138d7486529820c768c3b5
-
SHA1
8058b2204ebdcbf19e888a628c94e201b108b58d
-
SHA256
a2465fc5059ea57c7b64b1dc01caf8735422a005ddb7fabeddfa3cbc89085ccf
-
SHA512
40b2b026c4058fd5d2c39de5b0d28fc64aca6df6a3610a7f332d2d2674ea5c6f85ca6a88fb9b6d53b47fbd816d6ebaea5e8b916c62b109012746fe075c90a93a
-
SSDEEP
6144:0WQoTBfjc6gSNv0owMEbjlqOVPrevcfK2fqcz1IOq:0WQ4OMc0OVPe2fx14
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Installer-x64bit.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Installer-x64bit.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Installer-x64bit.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Installer-x64bit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Installer-x64bit.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3460 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Installer-x64bit.exepid process 1860 Installer-x64bit.exe 1860 Installer-x64bit.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Installer-x64bit.execmd.exedescription pid process target process PID 1860 wrote to memory of 1832 1860 Installer-x64bit.exe cmd.exe PID 1860 wrote to memory of 1832 1860 Installer-x64bit.exe cmd.exe PID 1860 wrote to memory of 1832 1860 Installer-x64bit.exe cmd.exe PID 1832 wrote to memory of 3460 1832 cmd.exe timeout.exe PID 1832 wrote to memory of 3460 1832 cmd.exe timeout.exe PID 1832 wrote to memory of 3460 1832 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer-x64bit.exe"C:\Users\Admin\AppData\Local\Temp\Installer-x64bit.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Installer-x64bit.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:3460