811361c4127c64d405cc8f18c80006526614c2ff16c08ca4fcce7e5e9592f37b

Analysis

max time kernel
154s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 17:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

xampp-windows-x64-7.4.29-1-VC15-installer.exe
Size

159.6MB
MD5

e7cc3f8ff98a8f05b04d465f72747774
SHA1

4304e515895038e73dcf50e7dfadbbba34ffbcec
SHA256

811361c4127c64d405cc8f18c80006526614c2ff16c08ca4fcce7e5e9592f37b
SHA512

5fc227da138b58ea6862395a280ed4316f34d2c50e0fabb68e636481e7e2f8d3cd06b2a42d10cd0b5f54dfa1d5404f7102eaa76a3d100cf0cc1d011bf4adf28a
SSDEEP

3145728:CwiF7X9NFT/7ofNMs1NvxwBcqZrZwIDUFaMeozwUq+cxXJp:CwUrwNMsHpScKNzKeoMUqNP

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 12 IoCs

pid	Process
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xampp-windows-x64-7.4.29-1-VC15-installer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xampp-windows-x64-7.4.29-1-VC15-installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	xampp-windows-x64-7.4.29-1-VC15-installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	xampp-windows-x64-7.4.29-1-VC15-installer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1460	xampp-windows-x64-7.4.29-1-VC15-installer.exe

C:\Users\Admin\AppData\Local\Temp\xampp-windows-x64-7.4.29-1-VC15-installer.exe
"C:\Users\Admin\AppData\Local\Temp\xampp-windows-x64-7.4.29-1-VC15-installer.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.installbuilder\.tmp_1460_2674608\wmImage.png

Filesize
1KB

MD5
7809a37f23435337334b0d8d640766b4

SHA1
296649f4fd64ae699c9cdfd3a8c21c1b27e17c3b

SHA256
e4f120a9329a2dd7427e254960330edb6ae72eb26ca31a2b4228803d02419012

SHA512
6445902a0f92b77d08de60e746ad411f3ade1e06720f6634027b0158b55e2fe5b2fc7dc7e859472148ad48384e7cb9a210eefcde897e36f72b44cfcad3122397

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRB069.tmp

Filesize
64KB

MD5
d2e59ee980c15085bbe292082abec7e6

SHA1
30154e439177235e768c6fc9c7e6d83e9320a80b

SHA256
eb10d4d4b459f4bbaf611538ed8098c7fad5a839495085f3363b3bf1050c4958

SHA512
6f61f337ee24a8fab29afcbcd2a5e674c5745cf5caaba99e58fc9d762fae3620864262d23118728ed6d124ab51feeaa7d9057042b6a42bc9e49feda18005a7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRB0F6.tmp

Filesize
356KB

MD5
c3c4f3fe90e3b3b02bea0e8da3447ed2

SHA1
7ac0f54119d2273a2cd261f1fe6c5667e9c486df

SHA256
3524ec77985e390acf9d07d81b1b44305165d711bbca770f7458ea0a78751f82

SHA512
0e24c9394c635a3f1671a297f97b613e6936cd8f862a214125d3456324a18668ae138d5c4fde036f55e2b13b158e4cebc53f78153862a008b1ae747eab228a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRB174.tmp

Filesize
59KB

MD5
f62dd6ce51e19349ec1d1f2e88c4ef4d

SHA1
60bd29538b4fecaf527ba8b7d92b7f32d2e72ddb

SHA256
be88244da9faaa6636a9d2f4c4249c08066a0b48359690b9b27a2b9ed47e093d

SHA512
ba68a59427ec252b895e1c3d6879e0c7a010893d23b5a8687ce86d738faaec1367f73abbcf63fb8ce8b95d32afa3049cd59f22f0bc5a2ff2a3b123a54fe02012

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRB1B4.tmp

Filesize
136KB

MD5
119e67e0b0add3f09aabbde47a599e17

SHA1
991c049d2466c5242f67e664159cb025f49e5c70

SHA256
439416fcebcf073600af44a2fb83428896dc8f69120ee4a76ee490a6428d6c94

SHA512
88d85765867555f8bf22db707ae49042db1a1bb1ed8a093afe4d10446b25e6400a2811f88bc5af9edb16b2b4f0366b09177cb9116c89e6950cb96b9fb2d93572

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRB1D4.tmp

Filesize
513KB

MD5
5fbc6bd806a8a6c460faceeea73bd7f7

SHA1
4d1586a9631a72c3e1d75fb3c385dbd278804665

SHA256
8033d1b3af84d47d275e022608da35baac16cf40d9607ca026a47b6cd65e6a97

SHA512
4c51f9f331ac15206942e13504334b4c3549888519388607c44b617a68a9095114b0e6127e82b84170445df06260cc62308bc197b90cfb95af18d7cb6d413195

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRB233.tmp

Filesize
235KB

MD5
51c675fc1ef0a62322052d3e86567c06

SHA1
e295d0b668105d81f9180ef1056d0528e4b2116a

SHA256
aaa3d7e589e9be1911eee5974afa68c64af1bbd5e039ff6a82a15c2b54c0f9f0

SHA512
a352e82db5c930c73165a48337ae51acda7ebd393b8b0b57d03d2e1b5057c41c26b1f321759b7bc521166890853ecdad7b37531212243ad86e181e2252a3b78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRB272.tmp

Filesize
18KB

MD5
6d2c718c3059ceaa7b90919e6725a09a

SHA1
489967f8fe2b9021a891112754b840fe7dc71d13

SHA256
2ca70bc6394ee1b299a8cf1fe28e95c7d68b765e1828db1b651a7a62acae5356

SHA512
37547e9c6080d0dcb3ea23d9c856ce689997275b40d72bf9fd7c7c165e8cee4afe2ebe52e052c5f8bfc3e618391425219e9681191ee6f650444ebd643cb5a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRB34E.tmp

Filesize
19KB

MD5
a56543b9cd3aa403311b49189d25851e

SHA1
bd2609d35d4a967fe23ef4092b1daa6f74a858ad

SHA256
034756f772399552cd33605a189ee0e45d7947860e0d83ec12aa6da1a5a42054

SHA512
2237f493d70799675ae0e395f551b6cd46ff4789e46e2453c48fede07b7623b4b8111904d6fa139c204eea4405b5fd5812b0a91f27374219b721339149c25edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRBAF0.tmp

Filesize
36KB

MD5
a8b2a9bc29f24b733d35a8ef30551edd

SHA1
3faee2d4e1ce3ddcaa4c560c40e045cf147622cc

SHA256
22d4a48d7dd5c51c63e277944a91511e69d514721b5cd60b7da877d38bd8744d

SHA512
aca6c103b737e0142913fd12b6783464c7edba1953a0bd07084e996a070a7118d1f571249882f982dc7bd47656ac23b86b598b434176b3ab9553b63512771d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRBB11.tmp

Filesize
96KB

MD5
9b299884420745d80c70bba6b8a7f05a

SHA1
195423185a7776e072a65fbabae868c15f7b2f56

SHA256
9426e96a97f41645fab524385a852687792f99b505554b6b9809ed99451b2399

SHA512
ed839dc1b6ef53f3663b6055fb2869a522600b2af8d8a800958ddb531154f4e9a3f1733f32dff5511a22fe01525191c8683519cbdcedec138b1bcf3425f2155b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRBB21.tmp

Filesize
115KB

MD5
54431791b0b31ccd0112486f542858a1

SHA1
e628f2dc29d039d474f97fe67e562bd8798c6ba6

SHA256
b382c74f532ab766c272ed11b107a3ef7c015cca2e716243379058c084981332

SHA512
fab7561a312afdc92dcf70fe8a80356914153bdb9ff46d64b8f4e8d872a5a619a72a9ae5a8af656f371a59672737fe5990d33990154ad3b5d006a68cbefd01f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL000005b4\BRBB9F.tmp

Filesize
13.1MB

MD5
306a3de89c1cb692f9164f78bfef84cd

SHA1
6c1741e886a3891caa3cead07de33564c23f7995

SHA256
1fbca0a563f3ae96e915cb660c2ff4b905508bc6c64f3f06c127b287e3cc1e5b

SHA512
ae542a8c1294f2b088e2d5e8d0c7f38db5c3d441b885e75104065adb9c39a10aac0b6542031447a9adfe4c4302d5bf023e54d9c4ac0e7b7dac17e7ed978228ae

Download Submit
memory/1460-245-0x00000000710C0000-0x00000000710E3000-memory.dmp

Filesize
140KB

Download
memory/1460-250-0x0000000067380000-0x0000000067391000-memory.dmp

Filesize
68KB

Download
memory/1460-244-0x0000000066680000-0x0000000066695000-memory.dmp

Filesize
84KB

Download
memory/1460-242-0x0000000000470000-0x000000000076F000-memory.dmp

Filesize
3.0MB

Download
memory/1460-246-0x0000000067C80000-0x0000000067D09000-memory.dmp

Filesize
548KB

Download
memory/1460-247-0x000000006C580000-0x000000006C599000-memory.dmp

Filesize
100KB

Download
memory/1460-248-0x000000006AFE0000-0x000000006AFEE000-memory.dmp

Filesize
56KB

Download
memory/1460-249-0x000000006CA00000-0x000000006CA0E000-memory.dmp

Filesize
56KB

Download
memory/1460-251-0x0000000066C00000-0x0000000066C1B000-memory.dmp

Filesize
108KB

Download
memory/1460-243-0x000000006AFF0000-0x000000006B005000-memory.dmp

Filesize
84KB

Download
memory/1460-252-0x0000000067E00000-0x0000000067E20000-memory.dmp

Filesize
128KB

Download
memory/1460-253-0x000000006A2A0000-0x000000006AFD1000-memory.dmp

Filesize
13.2MB

Download
memory/1460-254-0x0000000000470000-0x000000000076F000-memory.dmp

Filesize
3.0MB

Download
memory/1460-266-0x0000000000470000-0x000000000076F000-memory.dmp

Filesize
3.0MB

Download
memory/1460-278-0x0000000000470000-0x000000000076F000-memory.dmp

Filesize
3.0MB

Download
memory/1460-289-0x000000006A2A0000-0x000000006AFD1000-memory.dmp

Filesize
13.2MB

Download
memory/1460-290-0x0000000000470000-0x000000000076F000-memory.dmp

Filesize
3.0MB

Download
memory/1460-301-0x000000006A2A0000-0x000000006AFD1000-memory.dmp

Filesize
13.2MB

Download
memory/1460-302-0x0000000000470000-0x000000000076F000-memory.dmp

Filesize
3.0MB

Download