Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2023 05:53
Behavioral task
behavioral1
Sample
innoi-tr.exe
Resource
win7-20230220-en
General
-
Target
innoi-tr.exe
-
Size
3.6MB
-
MD5
f0c59bc9136e4547f44de13c22c9bef7
-
SHA1
51f73360a6cc303652e85523a211cbf665e5bb93
-
SHA256
5a9fbbd8e9bca755d3bb50a1e2a25187e449fe0c179cefa14a2766fbc704e670
-
SHA512
cb56dd085dfcae88a0efc1a9d643936fd5675cdaa0b43a7879099f00a77f35bb825cbb4bfe0d5cfeef7eb0ae76c6e291dc8c803f1af03243d8f50fe87b1c4bd4
-
SSDEEP
98304:WL4+FDm+RF15MSu+IJFqJC8lfJuV0cjiu6l/vZQt:8FDm01aj+iFJAcDhcvZQt
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
innoi-tr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ innoi-tr.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
innoi-tr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion innoi-tr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion innoi-tr.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3684-136-0x0000000000130000-0x0000000000B52000-memory.dmp agile_net behavioral2/memory/3684-137-0x0000000000130000-0x0000000000B52000-memory.dmp agile_net behavioral2/memory/3684-312-0x0000000000130000-0x0000000000B52000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3684-136-0x0000000000130000-0x0000000000B52000-memory.dmp themida behavioral2/memory/3684-137-0x0000000000130000-0x0000000000B52000-memory.dmp themida behavioral2/memory/3684-312-0x0000000000130000-0x0000000000B52000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
innoi-tr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA innoi-tr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
innoi-tr.exepid process 3684 innoi-tr.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4484 3684 WerFault.exe innoi-tr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
innoi-tr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 innoi-tr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier innoi-tr.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
innoi-tr.exepid process 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe 3684 innoi-tr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
innoi-tr.exedescription pid process Token: SeDebugPrivilege 3684 innoi-tr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\innoi-tr.exe"C:\Users\Admin\AppData\Local\Temp\innoi-tr.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 17642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3684 -ip 36841⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\f91706e5d2df12902f18c18c14ded501\Admin@[email protected]\Processes.txtFilesize
4KB
MD52d7c6970fe3eb5f7418894e4355cf4ca
SHA1c21d5693659b4dda88edfc762ddb2f9c0640fd1c
SHA256da935fea9ada4fe702372b665989acd1442b1219271c82f66f4d34ecdfc4c790
SHA5125dbc6822dceec4ad2c3794255a614550861410089578b82f9ecf764c925223919b053d52f7b52b2def92551ebd0665a86b5c7e2defc9b77dd9b2f9e3c2f6cf28
-
C:\Users\Admin\AppData\Local\f91706e5d2df12902f18c18c14ded501\Admin@[email protected]\Software.txtFilesize
4KB
MD5ba677776671f5a143438935d549bccc2
SHA1cb4efbb91ae2dfc3ddc24a5e242619168ac57587
SHA256df5b6d7f6f0fbcc13b3bb8f168cb5cc0c9e80f6c5845f844c8ea675221e7e2c1
SHA5127099cacb87ca621e8eb9c60253d307efb614afe1de5f0c3966eecf0da64d8b54acc7847069ba2d9bf44bd39ad270e6fe79ae1b9c6b296cdb137a1b1a9aedc721
-
C:\Users\Admin\AppData\Local\f91706e5d2df12902f18c18c14ded501\Admin@[email protected]\Software.txtFilesize
4KB
MD5ba677776671f5a143438935d549bccc2
SHA1cb4efbb91ae2dfc3ddc24a5e242619168ac57587
SHA256df5b6d7f6f0fbcc13b3bb8f168cb5cc0c9e80f6c5845f844c8ea675221e7e2c1
SHA5127099cacb87ca621e8eb9c60253d307efb614afe1de5f0c3966eecf0da64d8b54acc7847069ba2d9bf44bd39ad270e6fe79ae1b9c6b296cdb137a1b1a9aedc721
-
C:\Users\Admin\AppData\Local\f91706e5d2df12902f18c18c14ded501\msgid.datFilesize
13B
MD5c2985bb26e8377a52824f240b0d78047
SHA10c2162c285640044ed4dd2d40579050e0d1a9104
SHA25642271847dd7e30ebebf919e782716b4634ad0c2387339f559f476431e63b3747
SHA512eff80e445d7ba571e1468228145fc51c3f630a6da0ee129d1cdc6e009b5e78f70429b9ebbbedc82cb50fbab304d4becfbb2515baddc840c3a08307adccd3067a
-
memory/3684-139-0x0000000005590000-0x00000000055A0000-memory.dmpFilesize
64KB
-
memory/3684-141-0x0000000000130000-0x0000000000B52000-memory.dmpFilesize
10.1MB
-
memory/3684-160-0x0000000006FB0000-0x0000000007042000-memory.dmpFilesize
584KB
-
memory/3684-133-0x0000000000130000-0x0000000000B52000-memory.dmpFilesize
10.1MB
-
memory/3684-138-0x00000000059D0000-0x0000000005A36000-memory.dmpFilesize
408KB
-
memory/3684-202-0x0000000007600000-0x0000000007BA4000-memory.dmpFilesize
5.6MB
-
memory/3684-241-0x0000000005590000-0x00000000055A0000-memory.dmpFilesize
64KB
-
memory/3684-137-0x0000000000130000-0x0000000000B52000-memory.dmpFilesize
10.1MB
-
memory/3684-292-0x00000000067B0000-0x00000000067BA000-memory.dmpFilesize
40KB
-
memory/3684-293-0x0000000006830000-0x0000000006842000-memory.dmpFilesize
72KB
-
memory/3684-299-0x0000000005590000-0x00000000055A0000-memory.dmpFilesize
64KB
-
memory/3684-136-0x0000000000130000-0x0000000000B52000-memory.dmpFilesize
10.1MB
-
memory/3684-312-0x0000000000130000-0x0000000000B52000-memory.dmpFilesize
10.1MB