Analysis
-
max time kernel
55s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2023 09:27
Static task
static1
Behavioral task
behavioral1
Sample
innosetup-6.2.1.exe
Resource
win7-20230220-en
General
-
Target
innosetup-6.2.1.exe
-
Size
7.4MB
-
MD5
5253a5a1631e8dfec0d91393656071c8
-
SHA1
13db3be759b3d1746f08c7e40a64e06b840d5fb9
-
SHA256
40a3561b321f01b715274144fb75d79e4d3437cf10dcee86818b9a02f8849d20
-
SHA512
42d1591f7106e61ed3892e377e4b265cafc14c28fb3c61fa4578b6d5c2d78ad3a840c9a9c1436f2c23e9200df38b1084a7088ca62bb3265122e52db0dea61dc1
-
SSDEEP
24576:x94s6V9vqyQT0iAw7vyc6CD8aH465hV27+TYF5otaz4ihmfg0dGRX8N1f+2b39Yh:x9h6V9vq/AwryFCJCh1z1
Malware Config
Extracted
aurora
94.142.138.71:8081
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
innosetup-6.2.1.exedescription pid process target process PID 3816 set thread context of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4740 wmic.exe Token: SeSecurityPrivilege 4740 wmic.exe Token: SeTakeOwnershipPrivilege 4740 wmic.exe Token: SeLoadDriverPrivilege 4740 wmic.exe Token: SeSystemProfilePrivilege 4740 wmic.exe Token: SeSystemtimePrivilege 4740 wmic.exe Token: SeProfSingleProcessPrivilege 4740 wmic.exe Token: SeIncBasePriorityPrivilege 4740 wmic.exe Token: SeCreatePagefilePrivilege 4740 wmic.exe Token: SeBackupPrivilege 4740 wmic.exe Token: SeRestorePrivilege 4740 wmic.exe Token: SeShutdownPrivilege 4740 wmic.exe Token: SeDebugPrivilege 4740 wmic.exe Token: SeSystemEnvironmentPrivilege 4740 wmic.exe Token: SeRemoteShutdownPrivilege 4740 wmic.exe Token: SeUndockPrivilege 4740 wmic.exe Token: SeManageVolumePrivilege 4740 wmic.exe Token: 33 4740 wmic.exe Token: 34 4740 wmic.exe Token: 35 4740 wmic.exe Token: 36 4740 wmic.exe Token: SeIncreaseQuotaPrivilege 4740 wmic.exe Token: SeSecurityPrivilege 4740 wmic.exe Token: SeTakeOwnershipPrivilege 4740 wmic.exe Token: SeLoadDriverPrivilege 4740 wmic.exe Token: SeSystemProfilePrivilege 4740 wmic.exe Token: SeSystemtimePrivilege 4740 wmic.exe Token: SeProfSingleProcessPrivilege 4740 wmic.exe Token: SeIncBasePriorityPrivilege 4740 wmic.exe Token: SeCreatePagefilePrivilege 4740 wmic.exe Token: SeBackupPrivilege 4740 wmic.exe Token: SeRestorePrivilege 4740 wmic.exe Token: SeShutdownPrivilege 4740 wmic.exe Token: SeDebugPrivilege 4740 wmic.exe Token: SeSystemEnvironmentPrivilege 4740 wmic.exe Token: SeRemoteShutdownPrivilege 4740 wmic.exe Token: SeUndockPrivilege 4740 wmic.exe Token: SeManageVolumePrivilege 4740 wmic.exe Token: 33 4740 wmic.exe Token: 34 4740 wmic.exe Token: 35 4740 wmic.exe Token: 36 4740 wmic.exe Token: SeIncreaseQuotaPrivilege 4340 WMIC.exe Token: SeSecurityPrivilege 4340 WMIC.exe Token: SeTakeOwnershipPrivilege 4340 WMIC.exe Token: SeLoadDriverPrivilege 4340 WMIC.exe Token: SeSystemProfilePrivilege 4340 WMIC.exe Token: SeSystemtimePrivilege 4340 WMIC.exe Token: SeProfSingleProcessPrivilege 4340 WMIC.exe Token: SeIncBasePriorityPrivilege 4340 WMIC.exe Token: SeCreatePagefilePrivilege 4340 WMIC.exe Token: SeBackupPrivilege 4340 WMIC.exe Token: SeRestorePrivilege 4340 WMIC.exe Token: SeShutdownPrivilege 4340 WMIC.exe Token: SeDebugPrivilege 4340 WMIC.exe Token: SeSystemEnvironmentPrivilege 4340 WMIC.exe Token: SeRemoteShutdownPrivilege 4340 WMIC.exe Token: SeUndockPrivilege 4340 WMIC.exe Token: SeManageVolumePrivilege 4340 WMIC.exe Token: 33 4340 WMIC.exe Token: 34 4340 WMIC.exe Token: 35 4340 WMIC.exe Token: 36 4340 WMIC.exe Token: SeIncreaseQuotaPrivilege 4340 WMIC.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
innosetup-6.2.1.exeinnosetup-6.2.1.execmd.execmd.exedescription pid process target process PID 3816 wrote to memory of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe PID 3816 wrote to memory of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe PID 3816 wrote to memory of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe PID 3816 wrote to memory of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe PID 3816 wrote to memory of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe PID 3816 wrote to memory of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe PID 3816 wrote to memory of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe PID 3816 wrote to memory of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe PID 3816 wrote to memory of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe PID 3816 wrote to memory of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe PID 3816 wrote to memory of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe PID 2080 wrote to memory of 4740 2080 innosetup-6.2.1.exe wmic.exe PID 2080 wrote to memory of 4740 2080 innosetup-6.2.1.exe wmic.exe PID 2080 wrote to memory of 2384 2080 innosetup-6.2.1.exe cmd.exe PID 2080 wrote to memory of 2384 2080 innosetup-6.2.1.exe cmd.exe PID 2384 wrote to memory of 4340 2384 cmd.exe WMIC.exe PID 2384 wrote to memory of 4340 2384 cmd.exe WMIC.exe PID 2080 wrote to memory of 4696 2080 innosetup-6.2.1.exe cmd.exe PID 2080 wrote to memory of 4696 2080 innosetup-6.2.1.exe cmd.exe PID 4696 wrote to memory of 100 4696 cmd.exe WMIC.exe PID 4696 wrote to memory of 100 4696 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD5b2446d155f77cf70a33bb0c25172fa3f
SHA1c20d68dad9e872b4607a5677c4851f863c28daf7
SHA2560faba9ea9b88b2982372c66b2eea8d6a5d99fc565c37db53ba6a4075619cfffb
SHA5125d38e78c38f64a989570b431f7d2ef660c0678b3dc25baf3244499308535492de861a244e262720e36eeb4f8127eca62679c0b0383350c302783246191e82654
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD553bf804f75123ed2339305be1d298398
SHA133a337e3e219da8ecd237b44fbcaf4864124a012
SHA2567d6155b8b6c9a78a70af6be7df47f1dac5f40215f4a6ae431d1ee27c021888f8
SHA5127611c75031b77b6098f1e70c1b27e0a95f259616f8b2f8acc734e371998badf321c10c9fb8669d61615673f0fb65787f0398966bda38cd430e009c83df00e16e
-
memory/2080-133-0x0000000000440000-0x000000000079D000-memory.dmpFilesize
3.4MB
-
memory/2080-139-0x0000000000440000-0x000000000079D000-memory.dmpFilesize
3.4MB
-
memory/2080-145-0x0000000000440000-0x000000000079D000-memory.dmpFilesize
3.4MB
-
memory/2080-146-0x0000000000440000-0x000000000079D000-memory.dmpFilesize
3.4MB
-
memory/2080-147-0x0000000000440000-0x000000000079D000-memory.dmpFilesize
3.4MB
-
memory/2080-148-0x0000000000440000-0x000000000079D000-memory.dmpFilesize
3.4MB
-
memory/2080-149-0x0000000000440000-0x000000000079D000-memory.dmpFilesize
3.4MB
-
memory/2080-150-0x0000000000440000-0x000000000079D000-memory.dmpFilesize
3.4MB
-
memory/2080-151-0x0000000000440000-0x000000000079D000-memory.dmpFilesize
3.4MB
-
memory/2080-204-0x0000000000440000-0x000000000079D000-memory.dmpFilesize
3.4MB