Analysis
-
max time kernel
191s -
max time network
203s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
12/01/2024, 23:07 UTC
General
-
Target
updater.exe
-
Size
140.1MB
-
MD5
3db60378dae46b211045c4669998c1a5
-
SHA1
487a891c4ea6a2f7ecf3f93f8b047f9e68f1f574
-
SHA256
0dd66a537ead22c55bbd341c647341faaa260c499de26a0d398fb74240867c44
-
SHA512
898a371da1da9fc717f9bcbf5793b2805d1f0ff741b31324b3d98594db4a5138a1a2bc8e304c76f3e723e86032d7785b561563b5c5219e29bc7a052d4c9f57e5
-
SSDEEP
1572864:g2Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:3aodJFek8+k
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\updater.exe"C:\Users\Admin\AppData\Local\Temp\updater.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\updater.exe"C:\Users\Admin\AppData\Local\Temp\updater.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\updater" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1200 --field-trial-handle=1236,i,14135995835064569770,12443209955191738020,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\updater.exe"C:\Users\Admin\AppData\Local\Temp\updater.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\updater" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1680 --field-trial-handle=1236,i,14135995835064569770,12443209955191738020,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:12⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Temp\updater.exe"C:\Users\Admin\AppData\Local\Temp\updater.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\updater" --mojo-platform-channel-handle=1376 --field-trial-handle=1236,i,14135995835064569770,12443209955191738020,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
-
-
C:\Users\Admin\AppData\Local\Temp\updater.exe"C:\Users\Admin\AppData\Local\Temp\updater.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\updater" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1648 --field-trial-handle=1236,i,14135995835064569770,12443209955191738020,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f"2⤵
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name1⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\chcp.comchcp 650011⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles1⤵
-
C:\Windows\system32\cmd.execmd /c chcp 650011⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"1⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f1⤵
- Adds Run key to start application
-
C:\Windows\system32\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
Network
-
DNSipinfo.ioRemote address:8.8.8.8:53Requestipinfo.ioIN AResponseipinfo.ioIN A34.117.186.192 -
DNSredirector.gvt1.comRemote address:8.8.8.8:53Requestredirector.gvt1.comIN AResponseredirector.gvt1.comIN A209.85.202.139redirector.gvt1.comIN A209.85.202.100redirector.gvt1.comIN A209.85.202.113redirector.gvt1.comIN A209.85.202.101redirector.gvt1.comIN A209.85.202.138redirector.gvt1.comIN A209.85.202.102
-
DNSr3---sn-aigzrnsz.gvt1.comRemote address:8.8.8.8:53Requestr3---sn-aigzrnsz.gvt1.comIN AResponser3---sn-aigzrnsz.gvt1.comIN CNAMEr3.sn-aigzrnsz.gvt1.comr3.sn-aigzrnsz.gvt1.comIN A74.125.175.168
-
DNS3ps1l0n.lifeRemote address:8.8.8.8:53Request3ps1l0n.lifeIN AResponse3ps1l0n.lifeIN A172.67.155.2043ps1l0n.lifeIN A104.21.72.222
-
DNS3ps1l0n.lifeRemote address:8.8.8.8:53Request3ps1l0n.lifeIN A
-
DNSdns.googleRemote address:8.8.8.8:53Requestdns.googleIN AResponsedns.googleIN A8.8.4.4dns.googleIN A8.8.8.8
-
DNSdns.googleRemote address:8.8.8.8:53Requestdns.googleIN AResponsedns.googleIN A8.8.8.8dns.googleIN A8.8.4.4
-
DNScdn.discordapp.comRemote address:8.8.8.8:53Requestcdn.discordapp.comIN AResponsecdn.discordapp.comIN A162.159.135.233cdn.discordapp.comIN A162.159.134.233cdn.discordapp.comIN A162.159.133.233cdn.discordapp.comIN A162.159.130.233cdn.discordapp.comIN A162.159.129.233
-
34.117.186.192:443ipinfo.iotls
-
209.85.202.139:443redirector.gvt1.comtls -
74.125.175.168:443r3---sn-aigzrnsz.gvt1.comtls -
172.67.155.204:4433ps1l0n.lifetls
-
8.8.8.8:443dns.googletls
-
8.8.4.4:443dns.googletls
-
8.8.4.4:443dns.googletls
-
8.8.8.8:443dns.googletls
-
172.67.155.204:4433ps1l0n.lifetls
-
172.67.155.204:4433ps1l0n.lifetls
-
172.67.155.204:4433ps1l0n.lifetls
-
162.159.135.233:443cdn.discordapp.comtls
-
8.8.8.8:53ipinfo.iodns
DNS Request
ipinfo.io
DNS Response
34.117.186.192
-
8.8.8.8:53redirector.gvt1.comdns
DNS Request
redirector.gvt1.com
DNS Response
209.85.202.139209.85.202.100209.85.202.113209.85.202.101209.85.202.138209.85.202.102
-
8.8.8.8:53r3---sn-aigzrnsz.gvt1.comdns
DNS Request
r3---sn-aigzrnsz.gvt1.com
DNS Response
74.125.175.168
-
74.125.175.168:443r3---sn-aigzrnsz.gvt1.comhttps
-
8.8.8.8:533ps1l0n.lifedns
DNS Request
3ps1l0n.life
DNS Request
3ps1l0n.life
DNS Response
172.67.155.204104.21.72.222
-
8.8.8.8:53dns.googledns
DNS Request
dns.google
DNS Response
8.8.4.48.8.8.8
-
8.8.8.8:53dns.googledns
DNS Request
dns.google
DNS Response
8.8.8.88.8.4.4
-
8.8.8.8:53cdn.discordapp.comdns
DNS Request
cdn.discordapp.com
DNS Response
162.159.135.233162.159.134.233162.159.133.233162.159.130.233162.159.129.233
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231B
MD5dec2be4f1ec3592cea668aa279e7cc9b
SHA1327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA51281728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66
-
Filesize
249B
MD5cf7e4a12f932a3fddddacc8b10e1f1b0
SHA1db6f9bc2be5e0905086b7b7b07109ef8d67b24ee
SHA2561b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b
SHA512fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
301KB
MD5df09b5dc1c2b23c6caeb0994295130fb
SHA199eacd989e46ea7a2d758f068b008dbdc45f7976
SHA256a9e11a8720826c7db276afaa8380be91e53f7f31e96bc3c6da7f2a94cca71d17
SHA51292e437fa8db3e1b936abd89ab2bbea4486353043078720c9e8e59a4c776ee13448b37f29cd6d8a119e4af0f8c691d0475159d3525fb3329bc66ca30b5b443e33
-
Filesize
93KB
MD5eb0daa1f202df3fbaa9b733f5b6e70da
SHA1de0c14d30225f74f935dd01d99b67287aa0ee070
SHA2560ba9bd4d3f7092375085a33079b78f99e6ca71a09a4209c2870bf7250e4dd1bb
SHA51206fd500f101b3409bbd25b0a6358493f9b9f48ed3f869b5f09520fb789d8e96f31158a8112af021c20407b64eb9735865eabe27492550f1e0c4f4533496fa79e
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB