Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2023 05:53

General

  • Target

    innoi-tr.exe

  • Size

    3.6MB

  • MD5

    f0c59bc9136e4547f44de13c22c9bef7

  • SHA1

    51f73360a6cc303652e85523a211cbf665e5bb93

  • SHA256

    5a9fbbd8e9bca755d3bb50a1e2a25187e449fe0c179cefa14a2766fbc704e670

  • SHA512

    cb56dd085dfcae88a0efc1a9d643936fd5675cdaa0b43a7879099f00a77f35bb825cbb4bfe0d5cfeef7eb0ae76c6e291dc8c803f1af03243d8f50fe87b1c4bd4

  • SSDEEP

    98304:WL4+FDm+RF15MSu+IJFqJC8lfJuV0cjiu6l/vZQt:8FDm01aj+iFJAcDhcvZQt

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Obfuscated with Agile.Net obfuscator 3 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\innoi-tr.exe
    "C:\Users\Admin\AppData\Local\Temp\innoi-tr.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3684
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1764
      2⤵
      • Program crash
      PID:4484
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3684 -ip 3684
    1⤵
      PID:1660

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    3
    T1082

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\f91706e5d2df12902f18c18c14ded501\Admin@[email protected]\Processes.txt
      Filesize

      4KB

      MD5

      2d7c6970fe3eb5f7418894e4355cf4ca

      SHA1

      c21d5693659b4dda88edfc762ddb2f9c0640fd1c

      SHA256

      da935fea9ada4fe702372b665989acd1442b1219271c82f66f4d34ecdfc4c790

      SHA512

      5dbc6822dceec4ad2c3794255a614550861410089578b82f9ecf764c925223919b053d52f7b52b2def92551ebd0665a86b5c7e2defc9b77dd9b2f9e3c2f6cf28

    • C:\Users\Admin\AppData\Local\f91706e5d2df12902f18c18c14ded501\Admin@[email protected]\Software.txt
      Filesize

      4KB

      MD5

      ba677776671f5a143438935d549bccc2

      SHA1

      cb4efbb91ae2dfc3ddc24a5e242619168ac57587

      SHA256

      df5b6d7f6f0fbcc13b3bb8f168cb5cc0c9e80f6c5845f844c8ea675221e7e2c1

      SHA512

      7099cacb87ca621e8eb9c60253d307efb614afe1de5f0c3966eecf0da64d8b54acc7847069ba2d9bf44bd39ad270e6fe79ae1b9c6b296cdb137a1b1a9aedc721

    • C:\Users\Admin\AppData\Local\f91706e5d2df12902f18c18c14ded501\Admin@[email protected]\Software.txt
      Filesize

      4KB

      MD5

      ba677776671f5a143438935d549bccc2

      SHA1

      cb4efbb91ae2dfc3ddc24a5e242619168ac57587

      SHA256

      df5b6d7f6f0fbcc13b3bb8f168cb5cc0c9e80f6c5845f844c8ea675221e7e2c1

      SHA512

      7099cacb87ca621e8eb9c60253d307efb614afe1de5f0c3966eecf0da64d8b54acc7847069ba2d9bf44bd39ad270e6fe79ae1b9c6b296cdb137a1b1a9aedc721

    • C:\Users\Admin\AppData\Local\f91706e5d2df12902f18c18c14ded501\msgid.dat
      Filesize

      13B

      MD5

      c2985bb26e8377a52824f240b0d78047

      SHA1

      0c2162c285640044ed4dd2d40579050e0d1a9104

      SHA256

      42271847dd7e30ebebf919e782716b4634ad0c2387339f559f476431e63b3747

      SHA512

      eff80e445d7ba571e1468228145fc51c3f630a6da0ee129d1cdc6e009b5e78f70429b9ebbbedc82cb50fbab304d4becfbb2515baddc840c3a08307adccd3067a

    • memory/3684-139-0x0000000005590000-0x00000000055A0000-memory.dmp
      Filesize

      64KB

    • memory/3684-141-0x0000000000130000-0x0000000000B52000-memory.dmp
      Filesize

      10.1MB

    • memory/3684-160-0x0000000006FB0000-0x0000000007042000-memory.dmp
      Filesize

      584KB

    • memory/3684-133-0x0000000000130000-0x0000000000B52000-memory.dmp
      Filesize

      10.1MB

    • memory/3684-138-0x00000000059D0000-0x0000000005A36000-memory.dmp
      Filesize

      408KB

    • memory/3684-202-0x0000000007600000-0x0000000007BA4000-memory.dmp
      Filesize

      5.6MB

    • memory/3684-241-0x0000000005590000-0x00000000055A0000-memory.dmp
      Filesize

      64KB

    • memory/3684-137-0x0000000000130000-0x0000000000B52000-memory.dmp
      Filesize

      10.1MB

    • memory/3684-292-0x00000000067B0000-0x00000000067BA000-memory.dmp
      Filesize

      40KB

    • memory/3684-293-0x0000000006830000-0x0000000006842000-memory.dmp
      Filesize

      72KB

    • memory/3684-299-0x0000000005590000-0x00000000055A0000-memory.dmp
      Filesize

      64KB

    • memory/3684-136-0x0000000000130000-0x0000000000B52000-memory.dmp
      Filesize

      10.1MB

    • memory/3684-312-0x0000000000130000-0x0000000000B52000-memory.dmp
      Filesize

      10.1MB