Analysis Overview
SHA256
be393666930fcd6564cec396d8b9732f34f6fdb9cdbd2283f21723a060ddeff3
Threat Level: Known bad
The file innosetup-6.2.1.zip was found to be: Known bad.
Malicious Activity Summary
Aurora
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-26 09:19
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-26 09:19
Reported
2023-02-26 09:22
Platform
win10v2004-20230220-en
Max time kernel
56s
Max time network
123s
Command Line
Signatures
Aurora
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4432 set thread context of 1028 | N/A | C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe | C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe"
C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 94.142.138.71:8081 | tcp | |
| US | 8.8.8.8:53 | 71.138.142.94.in-addr.arpa | udp |
| IE | 20.50.73.9:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp |
Files
memory/1028-133-0x0000000000EA0000-0x00000000011FD000-memory.dmp
memory/1028-139-0x0000000000EA0000-0x00000000011FD000-memory.dmp
memory/1028-145-0x0000000000EA0000-0x00000000011FD000-memory.dmp
memory/1028-146-0x0000000000EA0000-0x00000000011FD000-memory.dmp
memory/1028-147-0x0000000000EA0000-0x00000000011FD000-memory.dmp
memory/1028-148-0x0000000000EA0000-0x00000000011FD000-memory.dmp
memory/1028-149-0x0000000000EA0000-0x00000000011FD000-memory.dmp
memory/1028-150-0x0000000000EA0000-0x00000000011FD000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-26 09:19
Reported
2023-02-26 09:22
Platform
win7-20230220-en
Max time kernel
23s
Max time network
34s
Command Line
Signatures
Aurora
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 904 set thread context of 1176 | N/A | C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe | C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe"
C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| NL | 94.142.138.71:8081 | tcp |
Files
memory/1176-54-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-55-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-56-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-57-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-58-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-59-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-60-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-61-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-62-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp
memory/1176-63-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-65-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-66-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-67-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-68-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-70-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-69-0x0000000000400000-0x000000000075D000-memory.dmp
memory/1176-71-0x0000000000400000-0x000000000075D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
| MD5 | e5e23f78017d1e6eddfc8480e1679ee4 |
| SHA1 | 0667bd1b7129b105bd2c66ef6ad54c9648aec072 |
| SHA256 | 4fed2f4c33a3876390d8520f184062927aca8e0ce3538127de3a2f66ea856d91 |
| SHA512 | b1260e7ba7ad6d5dd0daeabc5f7cc1fc7a2e9259092f8d70d3d9eed923ed8aa60adcce4c27e9cb20966d500ed59edaaba9570f01d6a84180f1fb83e7b5c20049 |
memory/1176-103-0x0000000000400000-0x000000000075D000-memory.dmp