18ce929380ab15f9e9d23d156ff3cff56b94e33641a40379f57e7adc91130c3f

Resubmissions

09/04/2024, 22:11

240409-131wtaea38 8

09/04/2024, 21:43

09/04/2024, 21:18

06/04/2024, 10:55

06/04/2024, 10:41

Analysis

max time kernel
1201s
max time network
1212s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09/04/2024, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

147.0MB
MD5

2fcb65fc8b2bc9505da8dd94033cc7ad
SHA1

ff12916a1d57eb26d9e5856d91c450b155a35f65
SHA256

708543f3ca34ffe8e4d33c09560d4e190fe35bd2aa7a57369291174d537ffc32
SHA512

4927ede0dead3f947513add783a150245185ae1872b0f59d8159448423b33e636956e69b8278c37f62dd9a6a4ca59247f83beea4d59d1a6832ce5ce4533ed585
SSDEEP

1572864:EgGRqQdeZ4K5M0PmL0g6dKXPRYGO1QwOVnMKVbmd6LpL28nHQ5OneFBlwb:OV6msmCUhN4lS

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1484	Installer.exe
1484	Installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Installer.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
908	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4020	Installer.exe
4020	Installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	908	tasklist.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe
Token: SeCreatePagefilePrivilege	1484	Installer.exe
Token: SeShutdownPrivilege	1484	Installer.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 3236	1484	Installer.exe	77
PID 1484 wrote to memory of 3236	1484	Installer.exe	77
PID 3236 wrote to memory of 908	3236	cmd.exe	79
PID 3236 wrote to memory of 908	3236	cmd.exe	79
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2552	1484	Installer.exe	81
PID 1484 wrote to memory of 2240	1484	Installer.exe	82
PID 1484 wrote to memory of 2240	1484	Installer.exe	82
PID 1484 wrote to memory of 4020	1484	Installer.exe	83
PID 1484 wrote to memory of 4020	1484	Installer.exe	83

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1808,i,17306212009731361689,8791051965466281609,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --mojo-platform-channel-handle=2036 --field-trial-handle=1808,i,17306212009731361689,8791051965466281609,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1056 --field-trial-handle=1808,i,17306212009731361689,8791051965466281609,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c13c9289-ee95-4a5c-9697-df8b2a6c9daf.tmp.node

Filesize
654KB

MD5
36e0027f9e250df48c14d0c46cc69df7

SHA1
8c8c4dd7725a0ec877541d48ed5ceda97d8a3bd1

SHA256
1f6a635c64ef5e04826545b78d4796f2f00493c7fd7b06c9cdea956fd71afeaf

SHA512
eba9d6dfe72a7d606159a30968627f6bee22f81f00c722d40058ab6c880c880e040fb9f418e5154f30f20f5f8c9254c3ed9cfa93ea1f2eefa9b5d7ed4e9fea84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef06864e-bc16-47df-8fb7-ead882b02dde.tmp.node

Filesize
1.8MB

MD5
beb8d911d40e8fe94770d9d341e0de11

SHA1
d24d31e5b44a4a80969e2a669fb9b0ed42cfd479

SHA256
ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7

SHA512
079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe

Download Submit
memory/2552-11-0x00007FFA605B0000-0x00007FFA605B1000-memory.dmp

Filesize
4KB

Download
memory/4020-48-0x000001EDB9640000-0x000001EDB9641000-memory.dmp

Filesize
4KB

Download
memory/4020-50-0x000001EDB9640000-0x000001EDB9641000-memory.dmp

Filesize
4KB

Download
memory/4020-49-0x000001EDB9640000-0x000001EDB9641000-memory.dmp

Filesize
4KB

Download
memory/4020-40-0x000001EDB9640000-0x000001EDB9641000-memory.dmp

Filesize
4KB

Download
memory/4020-47-0x000001EDB9640000-0x000001EDB9641000-memory.dmp

Filesize
4KB

Download
memory/4020-46-0x000001EDB9640000-0x000001EDB9641000-memory.dmp

Filesize
4KB

Download
memory/4020-45-0x000001EDB9640000-0x000001EDB9641000-memory.dmp

Filesize
4KB

Download
memory/4020-44-0x000001EDB9640000-0x000001EDB9641000-memory.dmp

Filesize
4KB

Download
memory/4020-39-0x000001EDB9640000-0x000001EDB9641000-memory.dmp

Filesize
4KB

Download
memory/4020-38-0x000001EDB9640000-0x000001EDB9641000-memory.dmp

Filesize
4KB

Download