Overview

overview

5

Static

static

3

linstalIer2024!.exe

windows7-x64

1

linstalIer2024!.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/02/2024, 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    linstalIer2024!.exe

  • Size

    47.0MB

  • MD5

    ef0b650d80cc8afcd948b4a70117a587

  • SHA1

    a6f268dc709ead799e1be505f19a9c039e825390

  • SHA256

    3cf2588ad60bbb10018884c67c75f405e7cc74f5190434660c15d6fc871d2f65

  • SHA512

    0f4aa429823418b0c882fc2f33b8330d00e37ef8cb35fe6cbc5b2212fcc08bc2b0c679618a769fb2557dc23540a6c9fa58f597dd90de5348d9e8d1cedee8ed0c

  • SSDEEP

    196608:IiAvORaNqTWd98Fer7+dXDYM4FE5uUET/VpACdzXmJ+wLO:TAAaNx8Fer7+dXkL1jPACdzXmJZLO

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\linstalIer2024!.exe
    "C:\Users\Admin\AppData\Local\Temp\linstalIer2024!.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    PID:2336
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      2⤵
        PID:1432
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:932
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.0.1410652747\766920968" -parentBuildID 20221007134813 -prefsHandle 1932 -prefMapHandle 1776 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0a351b1-a70b-4055-bd74-5adcbc1bedc3} 932 "\\.\pipe\gecko-crash-server-pipe.932" 2012 1d1d2fd1958 gpu
          3⤵
            PID:4684
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.1.1600218957\1089998671" -parentBuildID 20221007134813 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7790f6ee-3cfe-42c8-a106-68c27715d867} 932 "\\.\pipe\gecko-crash-server-pipe.932" 2412 1d1c6572b58 socket
            3⤵
            • Checks processor information in registry
            PID:2648
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.2.2107603591\1190962638" -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8d58bcd-be32-47b4-b64b-d17c030dba19} 932 "\\.\pipe\gecko-crash-server-pipe.932" 3192 1d1d6faee58 tab
            3⤵
              PID:1176
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.3.1513355058\839197207" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3476 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4285eb3f-fbd8-4d34-89f9-754edaf33b9e} 932 "\\.\pipe\gecko-crash-server-pipe.932" 3572 1d1c6561958 tab
              3⤵
                PID:4128
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.4.1009633190\2043696938" -childID 3 -isForBrowser -prefsHandle 4536 -prefMapHandle 4532 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac3e8d13-a98b-421a-a8ba-515d7d33f06d} 932 "\\.\pipe\gecko-crash-server-pipe.932" 4544 1d1d9097b58 tab
                3⤵
                  PID:3140
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.5.196218285\1348950644" -childID 4 -isForBrowser -prefsHandle 5144 -prefMapHandle 5148 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82d65508-a5b1-4198-b7cb-9a9d458e7e94} 932 "\\.\pipe\gecko-crash-server-pipe.932" 5136 1d1d6f7a258 tab
                  3⤵
                    PID:1892

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\db\data.safe.bin
                Filesize

                2KB

                MD5

                b600386b8fe05c9aa284fcc3019b86b0

                SHA1

                08e945717f5e09f2ded732b7236eb9bbb4f00e46

                SHA256

                a1fd6cd3b68632beb92205ee9a1e41f55472ad2c3dc950ec7f1a2642067d0ad2

                SHA512

                0f1ee07623fa9335d657b660209a17ae46b78c452f482feffe5cc1b043471d260543373b79489a93d0f4e6ae8350bf861f56072b8f3c22315ad71d4605f1648a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\pending_pings\4dbc444e-a3a9-4ba0-b5f2-449560a1e908
                Filesize

                746B

                MD5

                45b12a775005262636328df0454f615d

                SHA1

                34403c3a7d43511a8f3a2d6dce2a37a6692c3a2c

                SHA256

                9c7dcb7ddf2b4372fd536ebd14cc55e0ad08ed817d8981f737517dfddc710b5d

                SHA512

                70f229f38e78a9788d6062f117bc25f39f1f9b46c0860bb091f1220e7c54d41550fa9f080fc7b3492f505577dbdbdd4c083c7efbfbad975c005c8b091dbe97c5

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\pending_pings\bfb1a83e-774f-4182-bb51-af8a385ac7a6
                Filesize

                11KB

                MD5

                575e57f42db1edc8ebfd83d850e1cf0e

                SHA1

                5da21e8248e42681251396dffb9fbf8123fc753e

                SHA256

                2d89efa4fdc56c5dace80b22aeef45bb41e8e7612d8038f254d3f0b6dac5c7fc

                SHA512

                a1cff07466897386561851bcf4def57d9ea8df7dfba4e42d7ebe18782fa4fc6f9cfa158fcb1eebca334f17f9db4877602aa86aac43989c1b9abc03d3996d7656

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs-1.js
                Filesize

                6KB

                MD5

                61e6e43a317d6c07bb3a6ac211a2a786

                SHA1

                42c96714ef4c3ef45401e8f272f9dad902e5c9c0

                SHA256

                786b7d4c23cbacb86979ee322700c9a5edb1e316e42e40d53dcf68072519e1a4

                SHA512

                cebf057487f1bc405908cb10f4b8c44b2963a2073795874aba1b28ef4a1e43ccda0d714325697ec39567158f59f174710b586f236731bf4ddf7aa5e3dcc0925a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs.js
                Filesize

                6KB

                MD5

                0093c6b026428e0549d0f75f1f65509f

                SHA1

                a49bec1f1cc459332e0e38a50d3c29a02d7026c1

                SHA256

                256ca35a38e912b75bb7ae160374164b723dbce08095cda7c1b740d1db065efc

                SHA512

                d68b6d00953cdc836fcbbd261c435ead1f8539868ad7173405d8de7e76ce5d223673ee94a303b268001c7facde8d7e27fe4341d90375258255ff54e98c73bd08

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\sessionCheckpoints.json.tmp
                Filesize

                259B

                MD5

                700fe59d2eb10b8cd28525fcc46bc0cc

                SHA1

                339badf0e1eba5332bff317d7cf8a41d5860390d

                SHA256

                4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

                SHA512

                3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\sessionstore.jsonlz4
                Filesize

                883B

                MD5

                f2724956608bf0bf50cf36aaa418ae19

                SHA1

                7ff8a32683754e8afb5f192bad6e83e559b9c02c

                SHA256

                739f3398e7346d7af023619ff2b05bbc83019ec649ab90c5cf40664765e86c2b

                SHA512

                11099eb2a240f39ca1a80e680943e08c641c8b7f53e3d722bade711dabb8054cea2b7fa620c4b387cf74c15c95fcdcceae449b806e22648f7ec9da6c1faa70bf

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                Filesize

                184KB

                MD5

                a68ca98b5e5db8f9c6ad1f26bdcbc943

                SHA1

                859be5263bd7a002597b77596f33873489a5903a

                SHA256

                a786430d8c75c404c9ae78045ae8e1dfc54b7752069c8472c69216014d7912a0

                SHA512

                599ac947852fd12e8c4dda0cbeb1ad7adf24e42c467c03ec4defeb4b52dd0f906e0547a4c5150115e3931d2b55be404e28a1edb9d88487f8812049b81c33a057

                Download Submit

              • memory/1432-158-0x0000000001200000-0x000000000127B000-memory.dmp

                Filesize

                492KB

                Download

              • memory/1432-161-0x0000000001200000-0x000000000127B000-memory.dmp

                Filesize

                492KB

                Download

              • memory/1432-163-0x0000000001200000-0x000000000127B000-memory.dmp

                Filesize

                492KB

                Download

              • memory/1432-164-0x00000000012E0000-0x0000000001312000-memory.dmp

                Filesize

                200KB

                Download

              • memory/1432-165-0x00000000012E0000-0x0000000001312000-memory.dmp

                Filesize

                200KB

                Download

              • memory/1432-166-0x00000000012E0000-0x0000000001312000-memory.dmp

                Filesize

                200KB

                Download

              • memory/2336-83-0x00007FF79E760000-0x00007FF7A16FE000-memory.dmp

                Filesize

                47.6MB

                Download

              • memory/2336-0-0x00007FF79E760000-0x00007FF7A16FE000-memory.dmp

                Filesize

                47.6MB

                Download

              • memory/2336-159-0x00007FF79E760000-0x00007FF7A16FE000-memory.dmp

                Filesize

                47.6MB

                Download