480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2023 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cryptowalletinstaller.exe
Size

14.3MB
MD5

2753fea9125455e452e1951295158bc5
SHA1

4238700742f6540119fc40f8f001fa1b5da99425
SHA256

480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1
SHA512

fa829113e7b59223668ea78bcf7b40fd824e509055dfb5bb54b0a282de23888d55dc6da666f906640a2e9a2519f68490812fdccf1aecedbe2abbfcf1d2acb116
SSDEEP

98304:ox5Booyp/ylqh+esPbmbNv1m9VVEX6qwkPmCj:EDodtymbNdGELPFj

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cryptowalletinstaller.exe

description	ioc	Process
File opened (read-only)	\??\F:	cryptowalletinstaller.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A378DDF3-A0D1-4474-B78C-ED65BB458100}.catalogItem	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

cryptowalletinstaller.exe

pid	Process
2800	cryptowalletinstaller.exe
2800	cryptowalletinstaller.exe
2800	cryptowalletinstaller.exe
2800	cryptowalletinstaller.exe
2800	cryptowalletinstaller.exe
2800	cryptowalletinstaller.exe
2800	cryptowalletinstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description	pid	Process
Token: SeManageVolumePrivilege	3444	svchost.exe

C:\Users\Admin\AppData\Local\Temp\cryptowalletinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\cryptowalletinstaller.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:4336

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsuA6B0.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
27e65259307fa7972e75e38effeda228

SHA1
c446ed97f65675a7c4f8a21dcf5877464e2c031c

SHA256
7ae19c961bf296efffb083bafbcf81e452253c5c29c6fb3e7c60dfba92897341

SHA512
e863f4c12d4d135c0605bede60498408149cb4b2463dce395c5b38c38939a45a0353d0df7d79d706e3b3ca97e480e1b2b592cad1d0103a02a22260cbf7a14542

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
fdb8d0ae28c970a88be22d2c81143f04

SHA1
4014a570dd8e5e73a89a3280aa526cd661a07b18

SHA256
26c61a9ef47f577b2973c94e7d15a89c34d6c028e67a8d5fd6cac0db2e2f82b2

SHA512
aaf7f637f38737b567c3fb2e3e33a5ee4c4eb0183dabdc66f9202322af428accfd71b8a5d69ddd91e96958f6da1223e103d1e8ed4f5558d9c8f027cd33b7d90c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
206df635e3ba54123cb914ff6d965403

SHA1
6c01df4184e550db47b97950adce49525683aa71

SHA256
48a22e4001a75f176ca7181154c33ecdee876586d65968e1e93f35e3c1435019

SHA512
88bc8ead58af4dc35e7b560023d005b63a33aa8e8886b83365a471cbfa2e0cccad3329d09dc44e3fc825ad2372f415374ace3f7a96a2857b1c9f00075dd262b8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
4fb3edab52eb97683a4045cd46575c72

SHA1
314914b8502501ffc544f7fe5f8ec0e1c04b6598

SHA256
9c2d6c65b99efef98f63a10260b89f24d4a0b0b6d1a42b5d5c7372756323e910

SHA512
f9ffbc34c0ba0adb3228fab6f2eb20a634e788816b1fa344553ce34589cc89d14af5338927bba068e67f43139555ae2c9067c1762daf274256ebad4ea81d4d75

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
dc70bdb56ef05a3c2d1db6cbf3b7397f

SHA1
d5f90ad0835a1b94745650ac412def42fdd40868

SHA256
d757001e8319f1e2d40bdb3fa63b6a6fcc9df4a0a0f1c516bdfff26ab540a800

SHA512
bd4521bfcd619edab0338e65e626f053d99b68086c1d585690e32be1b9fb22574a42c2de71e7fd3537bc8110fcfae1b3da339997bc586d5096eed36c852a40cb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
0ed1e95ed31c7cbc107c2fc873aa5a39

SHA1
57c46fc40d47bfad37789151538f9d8c3f33db69

SHA256
2da7bec4a640c782b5c8d47767f55614904a5e335c9af1d54ac5963f2cf940f3

SHA512
53bf7859f8171c32892c7e1c04ac6aa43b8c1a14a00f5df490559d8e16071408457423136988f8f41d3e2d8502e403e07b640ae419259e12c6a19eea161bfdb2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
46ba7ac4377308b358a7f1e9d990af61

SHA1
cc65437d23597c23d466a58f6193a28ba860e3a1

SHA256
57b03ac1bb20cc03c49a86fa168b7a38edc517efde4ef5add8538f6ebd3ec246

SHA512
646bd2abea7c74a3eec84bf19c6360e5183c92476da7bc73ed2d273c8288b0b518c56835b3b68eae04620d5790fb4e2bc23bbbaf0d0d27f00a352e5d22d2a213

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
c2330fe08826163e384f52602ed55ebc

SHA1
fbde7ad3c2ef3da3a7d464f6d25c494302aeaaef

SHA256
7fb333c846ca1b82470e4235350bd91e303353b294da25e75e0a11d91115137b

SHA512
845c9a1f34b351de913c8620c49a4b581346cbd94fc4ae013086e53293f960f9e01b4e2f6ee9d9c5eed100272db608f2b7dcefb365830b860451c3c550c49161

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
672e64b6f38041310df986cef9c49bb3

SHA1
658ea19b2b21a2a5a3f5b7ca27cedbf827df721c

SHA256
9cc04fba8b4ec0e44c9561bedd51758e8356a5cb80125b21836c82c654d35c92

SHA512
7f6e88f25602faf1de4fcd8876c63b6985e5acf56881c362ba4225d70b6196bad191eaa80ef485e6e54c3ad58f29868c5046e699450589f2485c02de417a715c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
2bacf98dac7a5e0b2abec69e4a2191eb

SHA1
492cfcf0410a95a28536b2613397891f574283db

SHA256
f1cbd6f224239d44e4457d38a2a3de6c93591d49880eaef74b85afed794fdbbc

SHA512
81d0504e3fdc8492df64ffebdf28bdbae447fc5f52d0e7366b1e4c97b103424fe133090dc4cf6ae304811092be93a1cb9280dcfe668e7b2b02e199da39ab8a95

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f112220a9ad7c63d4214f8096dd09bb9

SHA1
353c6697fbb46519c458eb7df1c317d75d8628e5

SHA256
748af1356de24fa0ed9a013f1e9adf0c43c648f708b14d13a17a12b4553f457f

SHA512
ec68611ecfd07b695b7ba111962377b27f848e86070864d689cb997207374a6a638c10e890c1f32c5d2900624133a4f76e59a1a20a802111c6dcdf18f2e32147

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
86436d31573d87fdc0c320188f456dd2

SHA1
b11965cca43308d7a627567dae2dcd832363a0b0

SHA256
2a66aa23b533c50ac71a2cd9879f669327a57dab428da22270cb71a6a7b7074a

SHA512
3868386a9ff4954f65c6e37723d16d928c1f23892b47ccfbe6060f0a5c2e2b6509ceb96edc84d450c550d451461931268a0d1d1ce92e6958a4236300bf759468

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
9f66aff760e5bd4fc227543d9b2a1486

SHA1
032286d749e2717eeba39bdedad5e53a59d96c2a

SHA256
a8de07de3b4109821ac105a3d79e2671d7c1af7300a01190e5e5ee41411ccfa4

SHA512
e922aa6ade50fd61e11e02dd5c9d7a8d6cb2f6c70170a7728121e31dd79b29c7b56d91fb3f084c8c927b47d09959d951223d0160b0298462d2e5b490ad4f0069

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
ac0a9bbf8faae1a710f24397b1fae6ec

SHA1
9afbd33ca0b708061134aca6c4f6ab747c8d117f

SHA256
0d3316ec80a54bcb5d4a570b49024844d8da212d966aa454b33164f3107438a5

SHA512
c74e7ada0617c9f392d73fdeb870c3d414bc976e42788d87ee69bfa0fb5d7460f5831cdc451178c316d50aa31a19e8a9cab1a7cff63a35d74f71b723f915aa4e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
b2b11b20db57b84435577641a19ec921

SHA1
047b6b983854d9fc3fc44b4499868d5b05fec910

SHA256
dfc9db87865fbddb615b26812e43869f9cad719de243a75f7fe69d11f788bb7b

SHA512
13559577d020938727cd4f0c3253ffd1c5af39d09cbf2ca3bb58f3dd72122e3e2de2c5dbf9a09fd8f12575ce2237fcabcfea8f025689173ea75032971ce7f4ac

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
2b0df5ce132965f5726134826a0c0576

SHA1
a108cb5859b405b53227400c90f6d7e8d8331c5b

SHA256
b5a34e9c705a23a3dd79410d32a2dd17839333cd291ab94342e106926512d2c6

SHA512
60523017bf04ba35cdccb7dedbd422d6d9c3ce25b5caef7efb47a19c6e65c31f4a7c6d2e729192cfef8ae9d87a6fb7058f4949722888d6e13ba5697db26778a9

Download Submit
memory/3444-555-0x000001E22B240000-0x000001E22B250000-memory.dmp

Filesize
64KB

Download
memory/3444-574-0x000001E22B340000-0x000001E22B350000-memory.dmp

Filesize
64KB

Download
memory/3444-590-0x000001E2336A0000-0x000001E2336A1000-memory.dmp

Filesize
4KB

Download
memory/3444-592-0x000001E2336F0000-0x000001E2336F1000-memory.dmp

Filesize
4KB

Download
memory/3444-593-0x000001E2336D0000-0x000001E2336D1000-memory.dmp

Filesize
4KB

Download
memory/3444-594-0x000001E2337E0000-0x000001E2337E1000-memory.dmp

Filesize
4KB

Download