2854e234da3cf8855095e1b74f3bb61e5a39ebd534b531f46d875add3eb29312

Analysis

max time kernel
191s
max time network
203s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 23:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

updater.exe
Size

140.1MB
MD5

3db60378dae46b211045c4669998c1a5
SHA1

487a891c4ea6a2f7ecf3f93f8b047f9e68f1f574
SHA256

0dd66a537ead22c55bbd341c647341faaa260c499de26a0d398fb74240867c44
SHA512

898a371da1da9fc717f9bcbf5793b2805d1f0ff741b31324b3d98594db4a5138a1a2bc8e304c76f3e723e86032d7785b561563b5c5219e29bc7a052d4c9f57e5
SSDEEP

1572864:g2Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:3aodJFek8+k

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\International\Geo\Nation	updater.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	updater.exe
2916	updater.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsBootManager = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsBootManager.exe"	reg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
3	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	updater.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1820	WMIC.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2740	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2916	updater.exe
2916	updater.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2916	updater.exe
Token: SeShutdownPrivilege	2916	updater.exe
Token: SeShutdownPrivilege	2916	updater.exe
Token: SeShutdownPrivilege	2916	updater.exe
Token: SeShutdownPrivilege	2916	updater.exe
Token: SeShutdownPrivilege	2916	updater.exe
Token: SeShutdownPrivilege	2916	updater.exe
Token: SeShutdownPrivilege	2916	updater.exe
Token: SeIncreaseQuotaPrivilege	2176	WMIC.exe
Token: SeSecurityPrivilege	2176	WMIC.exe
Token: SeTakeOwnershipPrivilege	2176	WMIC.exe
Token: SeLoadDriverPrivilege	2176	WMIC.exe
Token: SeSystemProfilePrivilege	2176	WMIC.exe
Token: SeSystemtimePrivilege	2176	WMIC.exe
Token: SeProfSingleProcessPrivilege	2176	WMIC.exe
Token: SeIncBasePriorityPrivilege	2176	WMIC.exe
Token: SeCreatePagefilePrivilege	2176	WMIC.exe
Token: SeBackupPrivilege	2176	WMIC.exe
Token: SeRestorePrivilege	2176	WMIC.exe
Token: SeShutdownPrivilege	2176	WMIC.exe
Token: SeDebugPrivilege	2176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2176	WMIC.exe
Token: SeRemoteShutdownPrivilege	2176	WMIC.exe
Token: SeUndockPrivilege	2176	WMIC.exe
Token: SeManageVolumePrivilege	2176	WMIC.exe
Token: 33	2176	WMIC.exe
Token: 34	2176	WMIC.exe
Token: 35	2176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2176	WMIC.exe
Token: SeSecurityPrivilege	2176	WMIC.exe
Token: SeTakeOwnershipPrivilege	2176	WMIC.exe
Token: SeLoadDriverPrivilege	2176	WMIC.exe
Token: SeSystemProfilePrivilege	2176	WMIC.exe
Token: SeSystemtimePrivilege	2176	WMIC.exe
Token: SeProfSingleProcessPrivilege	2176	WMIC.exe
Token: SeIncBasePriorityPrivilege	2176	WMIC.exe
Token: SeCreatePagefilePrivilege	2176	WMIC.exe
Token: SeBackupPrivilege	2176	WMIC.exe
Token: SeRestorePrivilege	2176	WMIC.exe
Token: SeShutdownPrivilege	2176	WMIC.exe
Token: SeDebugPrivilege	2176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2176	WMIC.exe
Token: SeRemoteShutdownPrivilege	2176	WMIC.exe
Token: SeUndockPrivilege	2176	WMIC.exe
Token: SeManageVolumePrivilege	2176	WMIC.exe
Token: 33	2176	WMIC.exe
Token: 34	2176	WMIC.exe
Token: 35	2176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2916	updater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 2736	2916	updater.exe	29
PID 2916 wrote to memory of 388	2916	updater.exe	31
PID 2916 wrote to memory of 388	2916	updater.exe	31
PID 2916 wrote to memory of 388	2916	updater.exe	31
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30
PID 2916 wrote to memory of 2628	2916	updater.exe	30

C:\Users\Admin\AppData\Local\Temp\updater.exe
"C:\Users\Admin\AppData\Local\Temp\updater.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\updater.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\updater" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1200 --field-trial-handle=1236,i,14135995835064569770,12443209955191738020,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\updater.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\updater" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1680 --field-trial-handle=1236,i,14135995835064569770,12443209955191738020,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\updater.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\updater" --mojo-platform-channel-handle=1376 --field-trial-handle=1236,i,14135995835064569770,12443209955191738020,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:388
- C:\Users\Admin\AppData\Local\Temp\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\updater.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\updater" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1648 --field-trial-handle=1236,i,14135995835064569770,12443209955191738020,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
  2⤵
  PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f"
  2⤵
  PID:3048

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
1⤵
PID:2348

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1700

C:\Windows\system32\netsh.exe
netsh wlan show profiles
1⤵
PID:2912

C:\Windows\system32\cmd.exe
cmd /c chcp 65001
1⤵
PID:2640

C:\Windows\System32\Wbem\WMIC.exe
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
1⤵
PID:2052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f
1⤵
- Adds Run key to start application
PID:2264

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Antivirus.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
249B

MD5
cf7e4a12f932a3fddddacc8b10e1f1b0

SHA1
db6f9bc2be5e0905086b7b7b07109ef8d67b24ee

SHA256
1b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b

SHA512
fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c

Download Submit
C:\Users\Admin\AppData\Roaming\updater\Local Storage\leveldb\CURRENT~RFf770a5d.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
\Users\Admin\AppData\Local\Temp\b086a55f-1f3e-4487-b023-3a7e721558c7.tmp.node

Filesize
301KB

MD5
df09b5dc1c2b23c6caeb0994295130fb

SHA1
99eacd989e46ea7a2d758f068b008dbdc45f7976

SHA256
a9e11a8720826c7db276afaa8380be91e53f7f31e96bc3c6da7f2a94cca71d17

SHA512
92e437fa8db3e1b936abd89ab2bbea4486353043078720c9e8e59a4c776ee13448b37f29cd6d8a119e4af0f8c691d0475159d3525fb3329bc66ca30b5b443e33

Download Submit
\Users\Admin\AppData\Local\Temp\b65becc1-4edc-4b24-a5f4-096ce768de60.tmp.node

Filesize
93KB

MD5
eb0daa1f202df3fbaa9b733f5b6e70da

SHA1
de0c14d30225f74f935dd01d99b67287aa0ee070

SHA256
0ba9bd4d3f7092375085a33079b78f99e6ca71a09a4209c2870bf7250e4dd1bb

SHA512
06fd500f101b3409bbd25b0a6358493f9b9f48ed3f869b5f09520fb789d8e96f31158a8112af021c20407b64eb9735865eabe27492550f1e0c4f4533496fa79e

Download Submit
memory/2736-5-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2736-43-0x0000000077430000-0x0000000077431000-memory.dmp

Filesize
4KB

Download
memory/2916-48-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download