c19fa15613c590a4ceec40dc9e20871629af92309dd16cfb0585ca7543c4205a

Analysis

max time kernel
2s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installerexe.exe
Size

12.3MB
MD5

754ba59f4a661eb58ee6b9f170e9d84e
SHA1

2b633997fde8498f8b0705088d1af1094164ad31
SHA256

c19fa15613c590a4ceec40dc9e20871629af92309dd16cfb0585ca7543c4205a
SHA512

521cd56d81a2d9a0885d4255a1bb1ddc293d65339e26cc833ac6916c2b232dfbdab9b0c7da3933b3df7060ab7a8869bc054c451434760bf90e4e12d29c046488
SSDEEP

393216:OLKbbx3AgGnkQUXdiUyEaXM5FikLn2UGW5a2UQHj:OWbbx3TNt6bf64WjUu

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
5080	instaIIer.exe
4688	installer.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3656	sc.exe
2992	sc.exe
4120	sc.exe
2316	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5080	instaIIer.exe
5080	instaIIer.exe
4688	installer.exe
4688	installer.exe
4688	installer.exe
3172	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 5080	4264	installerexe.exe	29
PID 4264 wrote to memory of 5080	4264	installerexe.exe	29
PID 4264 wrote to memory of 5080	4264	installerexe.exe	29
PID 4264 wrote to memory of 4688	4264	installerexe.exe	28
PID 4264 wrote to memory of 4688	4264	installerexe.exe	28

C:\Users\Admin\AppData\Local\Temp\installerexe.exe
"C:\Users\Admin\AppData\Local\Temp\installerexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Roaming\installer.exe
  C:\Users\Admin\AppData\Roaming\installer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\installer.exe"
    3⤵
    PID:2680
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "ghub"
    3⤵
    - Launches sc.exe
    PID:3656
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2992
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "ghub" binpath= "C:\ProgramData\bnmabkttxedp\ghub.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4120
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "ghub"
    3⤵
    - Launches sc.exe
    PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4540
- C:\Users\Admin\AppData\Roaming\instaIIer.exe
  C:\Users\Admin\AppData\Roaming\instaIIer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5080

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:3084

C:\ProgramData\bnmabkttxedp\ghub.exe
C:\ProgramData\bnmabkttxedp\ghub.exe
1⤵
PID:2248
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:3632
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  PID:5356
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3228

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:3536

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:4904

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\instaIIer.exe

Filesize
95KB

MD5
76a76e44c856c2aca6c8d668da52d28b

SHA1
7845adf8a65ad355b42bdf628ad8df9bd135ffed

SHA256
5066cecbdbfa84b68b931e257ab58ce829a6b750b2f169f5be307c92dc89b630

SHA512
07acb96a7f946f219fb273bd28b703e15061f2baebfd7d320b74066601a58b441fa932ae847d339e59481a26e0dd418d033911123d513e1b3307f731babd3e3a

Download Submit
C:\Users\Admin\AppData\Roaming\instaIIer.exe

Filesize
448KB

MD5
97c6900e59e84974d603a0e55d3ff4a8

SHA1
b23b19b009abec3a4e96a06618fa43cbf960dfd1

SHA256
3d4203a37005204db72112b601425b69d1ed8a9df0d5ec74292e43fb7488cfee

SHA512
55eef3819c50f1a2727257ba8c6bcd3ba75a72e57c13297a010ecf652a5933f926d0e40cba151d554547cb21788e77cc1d7fc23167a94a452345ce2dd533c07a

Download Submit
C:\Users\Admin\AppData\Roaming\installer.exe

Filesize
94KB

MD5
460f436117fc61b8bedf29a47c3939a8

SHA1
c69d829538c3bf9d9016074f4b4bfa112082fc14

SHA256
905a462517469f3fe7f4157e17a599db7fafaf76fdfd0fc8596e324cf7d37d4c

SHA512
1c4ee55628b90ecff1670a01889c6494aad45c0606e0fde420f7d0252e08713c8858dcaf56f5fb5b3f9d73a34d478f23bcc7cf0494f0b1352a3071ed80853444

Download Submit
C:\Users\Admin\AppData\Roaming\installer.exe

Filesize
92KB

MD5
f808f0f44d2f149c9ef306c956ac8a58

SHA1
f221334c5975d5ee08280d37da570ed2ccff5a77

SHA256
534daa630b83aa1d2eab387ed5904abdf5ecc0df591140e0cd6a2a331e8bb313

SHA512
1ec7a2d96bb38360032459b4807c1863d285f59f0b4d2888cafd5b14aab840dbacfe17099e24cadd67c91b8fafffd7ff6260baabe0c5045a22acf9bc368428fd

Download Submit
memory/2248-37-0x00007FF7C5CB0000-0x00007FF7C675C000-memory.dmp

Filesize
10.7MB

Download
memory/2248-36-0x00007FFE9C2D0000-0x00007FFE9C2D2000-memory.dmp

Filesize
8KB

Download
memory/2248-112-0x00007FF7C5CB0000-0x00007FF7C675C000-memory.dmp

Filesize
10.7MB

Download
memory/2248-38-0x00007FF7C5CB0000-0x00007FF7C675C000-memory.dmp

Filesize
10.7MB

Download
memory/2796-92-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2796-94-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2796-96-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2796-95-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2796-93-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2796-99-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3172-31-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

Filesize
10.8MB

Download
memory/3172-28-0x0000016673760000-0x0000016673770000-memory.dmp

Filesize
64KB

Download
memory/3172-27-0x0000016673760000-0x0000016673770000-memory.dmp

Filesize
64KB

Download
memory/3172-26-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

Filesize
10.8MB

Download
memory/3172-17-0x000001665B220000-0x000001665B242000-memory.dmp

Filesize
136KB

Download
memory/3632-86-0x0000024EC9D20000-0x0000024EC9D26000-memory.dmp

Filesize
24KB

Download
memory/3632-52-0x0000024EC75C0000-0x0000024EC75D0000-memory.dmp

Filesize
64KB

Download
memory/3632-85-0x0000024EC9D10000-0x0000024EC9D18000-memory.dmp

Filesize
32KB

Download
memory/3632-49-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

Filesize
10.8MB

Download
memory/3632-84-0x0000024EC9D50000-0x0000024EC9D6A000-memory.dmp

Filesize
104KB

Download
memory/3632-88-0x0000024EC75C0000-0x0000024EC75D0000-memory.dmp

Filesize
64KB

Download
memory/3632-77-0x0000024EC9AF0000-0x0000024EC9B0C000-memory.dmp

Filesize
112KB

Download
memory/3632-80-0x0000024EC9B10000-0x0000024EC9BC5000-memory.dmp

Filesize
724KB

Download
memory/3632-79-0x0000024EC75C0000-0x0000024EC75D0000-memory.dmp

Filesize
64KB

Download
memory/3632-81-0x0000024EC75A0000-0x0000024EC75AA000-memory.dmp

Filesize
40KB

Download
memory/3632-78-0x00007FF4032E0000-0x00007FF4032F0000-memory.dmp

Filesize
64KB

Download
memory/3632-82-0x0000024EC9D30000-0x0000024EC9D4C000-memory.dmp

Filesize
112KB

Download
memory/3632-87-0x0000024EC9D70000-0x0000024EC9D7A000-memory.dmp

Filesize
40KB

Download
memory/3632-91-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

Filesize
10.8MB

Download
memory/3632-50-0x0000024EC75C0000-0x0000024EC75D0000-memory.dmp

Filesize
64KB

Download
memory/3632-83-0x0000024EC75B0000-0x0000024EC75BA000-memory.dmp

Filesize
40KB

Download
memory/4688-13-0x00007FFE9C2D0000-0x00007FFE9C2D2000-memory.dmp

Filesize
8KB

Download
memory/4688-15-0x00007FF6D0A00000-0x00007FF6D14AC000-memory.dmp

Filesize
10.7MB

Download
memory/4688-33-0x00007FF6D0A00000-0x00007FF6D14AC000-memory.dmp

Filesize
10.7MB

Download
memory/4904-66-0x00000000768F0000-0x0000000076B05000-memory.dmp

Filesize
2.1MB

Download
memory/4904-53-0x0000000000EA0000-0x0000000000EA9000-memory.dmp

Filesize
36KB

Download
memory/4904-63-0x00007FFE9C0D0000-0x00007FFE9C2C5000-memory.dmp

Filesize
2.0MB

Download
memory/4904-65-0x0000000002AE0000-0x0000000002EE0000-memory.dmp

Filesize
4.0MB

Download
memory/4904-67-0x0000000002AE0000-0x0000000002EE0000-memory.dmp

Filesize
4.0MB

Download
memory/4904-62-0x0000000002AE0000-0x0000000002EE0000-memory.dmp

Filesize
4.0MB

Download
memory/5080-118-0x000000000383F000-0x0000000003C30000-memory.dmp

Filesize
3.9MB

Download
memory/5080-56-0x000000000383F000-0x0000000003C30000-memory.dmp

Filesize
3.9MB

Download
memory/5080-4-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/5080-6-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/5080-7-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/5080-8-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/5080-42-0x00007FFE9C0D0000-0x00007FFE9C2C5000-memory.dmp

Filesize
2.0MB

Download
memory/5080-39-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/5080-40-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/5080-41-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/5080-51-0x00000000768F0000-0x0000000076B05000-memory.dmp

Filesize
2.1MB

Download
memory/5080-55-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/5356-101-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-117-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-106-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-105-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-108-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-100-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-114-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-102-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-104-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-110-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-111-0x000002B48DCF0000-0x000002B48DD10000-memory.dmp

Filesize
128KB

Download
memory/5356-113-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-115-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-107-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-116-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-119-0x000002B48DD60000-0x000002B48DD80000-memory.dmp

Filesize
128KB

Download
memory/5356-103-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-120-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-121-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-122-0x000002B48DD80000-0x000002B48DDA0000-memory.dmp

Filesize
128KB

Download
memory/5356-123-0x000002B48DD80000-0x000002B48DDA0000-memory.dmp

Filesize
128KB

Download
memory/5356-125-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-127-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-128-0x000002B48DD80000-0x000002B48DDA0000-memory.dmp

Filesize
128KB

Download
memory/5356-129-0x000002B48DDA0000-0x000002B48DDC0000-memory.dmp

Filesize
128KB

Download
memory/5356-126-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5356-124-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download