Analysis Overview
SHA256
a230fc03c202928b2f7ce173273bd314ca5ebd1c59a16b6cfb36440b585fc756
Threat Level: Known bad
The file installerV2.rar was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detect Poverty Stealer Payload
Poverty Stealer
RedLine
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-02 10:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-02 10:06
Reported
2024-02-02 10:16
Platform
win10v2004-20231215-en
Max time kernel
61s
Max time network
75s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Poverty Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\installerV2\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\installerV2\Installer.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3580 set thread context of 1096 | N/A | C:\Users\Admin\Desktop\installerV2\Installer.exe | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\installerV2\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\installerV2\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\installerV2\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\installerV2\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\installerV2\setup.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\installerV2\setup.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3672 wrote to memory of 1592 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 3672 wrote to memory of 1592 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 3580 wrote to memory of 1096 | N/A | C:\Users\Admin\Desktop\installerV2\Installer.exe | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe |
| PID 3580 wrote to memory of 1096 | N/A | C:\Users\Admin\Desktop\installerV2\Installer.exe | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe |
| PID 3580 wrote to memory of 1096 | N/A | C:\Users\Admin\Desktop\installerV2\Installer.exe | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe |
| PID 3580 wrote to memory of 1096 | N/A | C:\Users\Admin\Desktop\installerV2\Installer.exe | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe |
| PID 3580 wrote to memory of 1096 | N/A | C:\Users\Admin\Desktop\installerV2\Installer.exe | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\installerV2.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\installerV2.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\installerV2\setup.exe
"C:\Users\Admin\Desktop\installerV2\setup.exe"
C:\Users\Admin\Desktop\installerV2\Installer.exe
"C:\Users\Admin\Desktop\installerV2\Installer.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| NL | 45.15.156.142:33597 | tcp | |
| US | 8.8.8.8:53 | 142.156.15.45.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\cef.pak
| MD5 | 4e0569b68960318b7dfe53dbe6832840 |
| SHA1 | 81cab18b8085fc3652cdc0d9f10efd3068237b22 |
| SHA256 | 15da2b5b7039dbd5616a9ff42b451df830197df2f8e72e7b208047ed32183329 |
| SHA512 | 144583181e37a57c2f375acb5c16c27309f21fce3b0a89c93a014bd27a09f7e9882a70ee4746c807c638bd675b6099c222f33dd420f1a804b40e8870002ddfa6 |
C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\data_1
| MD5 | abac4265c823916c5e7eff156e9efa0c |
| SHA1 | afe2336ff1030e766bdc0f23bb489518fecf9245 |
| SHA256 | c1fee2558ca5efb77691635b1ff92ba3661b8217653f2ffe6150699d44137e6b |
| SHA512 | ee27854a771076d397b0135e7c4cf415d59031479be5739b99b51ec54ca1bee6d0f411ffe7ffee1f2df2a5aa88360ddb94621f6c5ac8ec30c120d7b86c9ef95b |
C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\data_0
| MD5 | ccdad492bf2837b5c39af24e1edeba19 |
| SHA1 | 559849e557ea273c8b093520f25f71999bb842dd |
| SHA256 | 48b6feeab56e590821508aca66a4d4347276719248a39caf4019c41884b51c65 |
| SHA512 | 638b4a53e3c8210cd60b16b69b8ac96745451f9b28abca9106e56bc740f98461cf06d8be0b355f429db358bcdcdc232c6d6e10eb51948d5f43783901658807a6 |
C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\cef_100_percent.pak
| MD5 | 20c53b63527023e3bc2300fe83e62941 |
| SHA1 | 0dccc5c4fa3e79cb258406050eeda2c224b6ce31 |
| SHA256 | 65eb3dcbadc41708c3b6347f13ef1d6b0fdc48fe72dac91c41ff38d390231af7 |
| SHA512 | ef54e4a0c47b0621845b1f677b0136933a571c857f46ef7b556f509a5d36c771708505e3216248b540ffbcada08dc289167d91c4ceba7d678de70f499900cd22 |
C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\index
| MD5 | 2b19239fdfc1ce97f23509562dae213c |
| SHA1 | 89874206b901d33a4033cde558f515000d436183 |
| SHA256 | 2947e7b436276b77907ca9cc9a6a9a0521701086f3bc373e285ddd7bd9551b6c |
| SHA512 | 8c92dc7046b25a4537ef88cbc83016894f2b41e04b14bcbae2e947342c15d563998868b27fd119d8b067e9c12914d3e1a37e3be019333f407e3d4551ce511dd4 |
C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\data_3
| MD5 | 714e585cd3dd6179dbb510f53d35eebd |
| SHA1 | 67a940cb03f7759beaf1807e99d11452a92be00b |
| SHA256 | 8a43250ae65efa053ad1861d9aad8cf7112e91841eec00e21bc88b4fabbbc136 |
| SHA512 | 5f796a95ba8771cca62ce88bbd3f99507310335464653ef9ee140053a758ec4c64fd3a827a5a03f154f8756ec32868c243f24b190487b2d206971ab93c9934bc |
C:\Users\Admin\AppData\Local\Temp\7zE836725F7\installerV2\packages\Data\libcef.dll
| MD5 | b5936413e69ce35fb354fe0f8d2cdf30 |
| SHA1 | 2922a763711c0547e314aa9fe188743b7dba15cc |
| SHA256 | d5dc7e48951b2e48a3495d859310c2918a9ce1cbb3eff6115d41fd5073f6a991 |
| SHA512 | 602b77069e6a330d01e2698a0361043543c6d882f37adb1b128bd3e5e82c92b962f18dc8987247f989d04e407fdb6f5ceb0295ba8c1361cc4dd2ed52336a031e |
C:\Users\Admin\Desktop\installerV2\setup.exe
| MD5 | 829ef4d8b56fea0ce1ffa9d2c630c48f |
| SHA1 | 87c6c913b1e0c9efd874bde979a3bdad40095686 |
| SHA256 | 8e0f7f71cdfe332f45d166dceae0d953cb456c6a5a7a3c03aa73af1c25a09736 |
| SHA512 | 5492c97e962187c9043f390e30ec9229777ddd53d14cd67d6d74225bd68967d6c73f8f21524b964ceaebda3831f9f8c26c06a5ab01a6b9c2db301a36d70ab057 |
memory/3132-80-0x0000000001240000-0x0000000001294000-memory.dmp
memory/3132-84-0x0000000073F40000-0x00000000746F0000-memory.dmp
memory/3132-85-0x0000000005DF0000-0x0000000006394000-memory.dmp
memory/3132-86-0x00000000058F0000-0x0000000005982000-memory.dmp
memory/3132-87-0x0000000005B20000-0x0000000005B30000-memory.dmp
memory/3132-88-0x00000000059B0000-0x00000000059BA000-memory.dmp
C:\Users\Admin\Desktop\installerV2\Installer.exe
| MD5 | 8103cddcc5484d3af64fe561b008c928 |
| SHA1 | e357f8fdbb51c7e3fd9a50bf8e1d416257e8722e |
| SHA256 | cedb2abe919e82436025b857e84fdf25d33a23f8c846d302c699ec3f9556fda0 |
| SHA512 | 18d240158a713addab611ae2eb1fbd0ade3f95b4bae827663cb11473f993abf5d7ac3ac59f1ffd11c0809651ba4bf1d6e44ea065c4aa55d324b8f75ed2d51ed8 |
memory/3132-93-0x00000000069C0000-0x0000000006FD8000-memory.dmp
memory/3132-94-0x00000000063A0000-0x00000000064AA000-memory.dmp
memory/3132-95-0x0000000005A90000-0x0000000005AA2000-memory.dmp
memory/3132-96-0x0000000005C20000-0x0000000005C5C000-memory.dmp
memory/3132-97-0x0000000005C60000-0x0000000005CAC000-memory.dmp
memory/3132-100-0x00000000064B0000-0x0000000006516000-memory.dmp
memory/3132-101-0x0000000007390000-0x00000000073E0000-memory.dmp
memory/3132-102-0x00000000075B0000-0x0000000007772000-memory.dmp
memory/3132-103-0x0000000007CB0000-0x00000000081DC000-memory.dmp
memory/3580-104-0x00007FF7345D0000-0x00007FF734935000-memory.dmp
memory/3580-106-0x00007FF7345D0000-0x00007FF734935000-memory.dmp
memory/1096-105-0x0000000000340000-0x000000000034A000-memory.dmp
memory/1096-108-0x0000000000340000-0x000000000034A000-memory.dmp
memory/1096-110-0x0000000000340000-0x000000000034A000-memory.dmp
memory/3132-113-0x0000000073F40000-0x00000000746F0000-memory.dmp