Analysis
-
max time kernel
125s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 21:36
Static task
static1
Behavioral task
behavioral1
Sample
Installer (2).exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Installer (2).exe
Resource
win10v2004-20240226-en
General
-
Target
Installer (2).exe
-
Size
166.8MB
-
MD5
dc2cfdace871eb8499e326f155b01d63
-
SHA1
3eb3fb28d2fed92c45f32d3e24d347bc32dd456f
-
SHA256
2e1a346d13ae17dff86d8b824ec3b78e097827f67322c0c6175670db8c41303e
-
SHA512
b49fddcd033e953abbefa4ade4c69f6b96836cdfd70d197d5fbf9341cfa079c3b54dd50130bc697203d0e19124e35c13f33ac8a8adf111ce2143b1b48380c8cb
-
SSDEEP
1572864:4BRO09akMhGIrAVqO9uP2WP2QW4Ev7K2hPt:4XO0bIrahB2Ev7K2hPt
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
connection1503.exeupdate1503.exepid Process 2012 connection1503.exe 2584 update1503.exe -
Loads dropped DLL 5 IoCs
Processes:
Installer (2).exepid Process 352 Installer (2).exe 352 Installer (2).exe 352 Installer (2).exe 352 Installer (2).exe 352 Installer (2).exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
BitLockerToGo.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BitLockerToGo.exe Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BitLockerToGo.exe Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BitLockerToGo.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 19 ipinfo.io 20 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
update1503.exedescription pid Process procid_target PID 2584 set thread context of 2696 2584 update1503.exe 40 -
Drops file in Program Files directory 6 IoCs
Processes:
Installer (2).exedescription ioc Process File created C:\Program Files\microsoftgame\connection1503.zip Installer (2).exe File created C:\Program Files\microsoftgame\connection1503.exe Installer (2).exe File opened for modification C:\Program Files\microsoftgame\connection1503.exe Installer (2).exe File created C:\Program Files\microsoftgame\update1503.zip Installer (2).exe File created C:\Program Files\microsoftgame\update1503.exe Installer (2).exe File opened for modification C:\Program Files\microsoftgame\update1503.exe Installer (2).exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
BitLockerToGo.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BitLockerToGo.exe -
Processes:
Installer (2).exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Installer (2).exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Installer (2).exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeBitLockerToGo.exepid Process 1624 powershell.exe 2416 powershell.exe 2804 powershell.exe 2920 powershell.exe 2696 BitLockerToGo.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Installer (2).exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 352 Installer (2).exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Installer (2).exeupdate1503.exedescription pid Process procid_target PID 352 wrote to memory of 2416 352 Installer (2).exe 28 PID 352 wrote to memory of 2416 352 Installer (2).exe 28 PID 352 wrote to memory of 2416 352 Installer (2).exe 28 PID 352 wrote to memory of 1624 352 Installer (2).exe 29 PID 352 wrote to memory of 1624 352 Installer (2).exe 29 PID 352 wrote to memory of 1624 352 Installer (2).exe 29 PID 352 wrote to memory of 2012 352 Installer (2).exe 32 PID 352 wrote to memory of 2012 352 Installer (2).exe 32 PID 352 wrote to memory of 2012 352 Installer (2).exe 32 PID 352 wrote to memory of 2804 352 Installer (2).exe 33 PID 352 wrote to memory of 2804 352 Installer (2).exe 33 PID 352 wrote to memory of 2804 352 Installer (2).exe 33 PID 352 wrote to memory of 2920 352 Installer (2).exe 34 PID 352 wrote to memory of 2920 352 Installer (2).exe 34 PID 352 wrote to memory of 2920 352 Installer (2).exe 34 PID 352 wrote to memory of 2584 352 Installer (2).exe 37 PID 352 wrote to memory of 2584 352 Installer (2).exe 37 PID 352 wrote to memory of 2584 352 Installer (2).exe 37 PID 2584 wrote to memory of 2696 2584 update1503.exe 40 PID 2584 wrote to memory of 2696 2584 update1503.exe 40 PID 2584 wrote to memory of 2696 2584 update1503.exe 40 PID 2584 wrote to memory of 2696 2584 update1503.exe 40 PID 2584 wrote to memory of 2696 2584 update1503.exe 40 PID 2584 wrote to memory of 2696 2584 update1503.exe 40 -
outlook_office_path 1 IoCs
Processes:
BitLockerToGo.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BitLockerToGo.exe -
outlook_win_path 1 IoCs
Processes:
BitLockerToGo.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer (2).exe"C:\Users\Admin\AppData\Local\Temp\Installer (2).exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/microsoftgame'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/microsoftgame'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Program Files\microsoftgame\connection1503.exe"C:\Program Files\microsoftgame\connection1503.exe"2⤵
- Executes dropped EXE
PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/microsoftgame'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/microsoftgame'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Program Files\microsoftgame\update1503.exe"C:\Program Files\microsoftgame\update1503.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23.3MB
MD50d12580a46ba44883c4dbcd83700cfa0
SHA1760e448b1a568e262c681f463bebef781e2152b2
SHA256a32260f5dd057b844e6e96d19162809e9e774cddc6482c51692d63a4edf638a8
SHA5128c1cb27343848ac43fc13c46aea51c935b061a4b6629d1b6e67de20768a511431e376dcf21afdd7e0e06b3cf81aed62bc1264a095c7540a61638f04a51cb762d
-
Filesize
92KB
MD5d5ee43d2a25c2370159327c951da3f57
SHA111b76c32e3a08381101d597187e3c96788659025
SHA256c66200d56aced972e2dd7d63f73c12d0e7f575827ea54f83ac66a37f832234ed
SHA5128108a4bcde1fed31b7ae863510e4705ad74c934a53e42dbd51cad8701c4a272af939e38076904dc7941dcbfd57aa60152798250af34696c196171a465fb5a1dd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cf71fb61d254bfaf28c6faa47ad7ca10
SHA193c7f0400f264b832316cf80591a2e7cce097db4
SHA256f546fab7b602b0d81a0a102473cfe8df95b1c29cb122528f431b4994bd07306c
SHA51212099971b207e2909b686071c3df4aebb2493ca26ddbef47165f14e593233c1af8008faf97f25fc3faa629f81fb7c1eaeb9fb32ef4ef26cbab4ee8e6fd5a7824
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
19.2MB
MD5b4591bf01f419304ecfe8a2fe4a41511
SHA1236f9da6160be2b3c9989e1ffb799c8a13a8face
SHA256e30d09eedabcd45d9f83371c8f97987ff47b85440240754e6a26415a3e4b0b35
SHA5124b1e7ec134fb17836f439466d4115ed275219058db94b3df0efb631d983cc331b27b45cd5bb85988d9a351d57cd05a6364a9ed1db0e0f40c181e423ddc562139
-
Filesize
12.4MB
MD51c1b225141144a7f5d8471014d922df5
SHA185d73110c2ecbde1c06ae4adf11ab47335babc2e
SHA2569e12431b004e595078703b10fe7e69f8d47243e3cde9bec1caa1ed384aa0ae79
SHA5123a9d4816ffd298adec4fe786f18ec8a72301f61ebd89c4b561b6b8ef8ffb4e7efbcdcd6049c184b76596491e3248e49ce31fe95961268f911116c04f9041338c
-
\Users\Admin\AppData\Local\Temp\.net\Installer (2)\a8aMwpSmSRiydchTZFml8SDbGi80c5Y=\D3DCompiler_47_cor3.dll
Filesize4.7MB
MD5a7b7470c347f84365ffe1b2072b4f95c
SHA157a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA51283391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d
-
\Users\Admin\AppData\Local\Temp\.net\Installer (2)\a8aMwpSmSRiydchTZFml8SDbGi80c5Y=\PresentationNative_cor3.dll
Filesize1.2MB
MD50c147149b444748dae0a04e2e3d3269a
SHA1f7edbcd6d1d6b199b6c997d6b781a794d736d3ff
SHA256e284235a4d6e5d905692351cdfe8bc42ed842df8e5a8eb42fde90d1c3e2e90fa
SHA512ec057829c03623cabc5a42ddebec9b75107f987eaf9cb642f3f1aed4d4c64c544f60a1dc7bc4208e025bce38c72091e615ac2fd9f1bd27651d49addcb0ae8b36
-
Filesize
1.9MB
MD52ca3138aeb800aefe337d433f1590213
SHA10bbbd04df098d88daac40f7eac8740c6b26607ee
SHA256053eee8408b8979a6cea211a5ee11a3f22b0090f8e6988013a79523aa25439cb
SHA51261151f56a403b327e3ac24fd34dc22baf5049cf3d97a5bca71aa0aa7d0c1f15fb0c6c4230b849ac2763a7f1a1d34c989f71c3201938833947934d46c34e801fe