306a6648c7872cbe5bdd661bdf931d8c93cb270091bdb9096e3203129c419ff3

Analysis

max time kernel
1800s
max time network
1788s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01/05/2024, 19:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

158.3MB
MD5

552ef372c18e046d0f6537e87c9ec935
SHA1

9c294284c4f511b54451c3936aa6ea618940c4fc
SHA256

9fa9e3948a735d50662b667b5d4a42e4e1ff62d582aca29590521ead01d1366d
SHA512

0a10e2249a2d0478bacc43f08f6910c42e01284ee8ef04d2f4c0acfefca3ecf6fe41e0e017a9ccc4fa892ca37e22742c3ccb0462ddefebc1c436d857c04d5af8
SSDEEP

1572864:TULGtNWpvig2iH72GUrstdzcuo3tSONV9k9KDipAsKjUcX5j+BJwB/dlktdXQIAI:W12uI+

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Installer.exe

Loads dropped DLL 2 IoCs

pid	Process
1148	Installer.exe
1148	Installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Installer.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1188	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1684	Installer.exe
1684	Installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1188	tasklist.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: 33	1364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1364	AUDIODG.EXE
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe
Token: SeCreatePagefilePrivilege	1148	Installer.exe
Token: SeShutdownPrivilege	1148	Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 4876	1148	Installer.exe	74
PID 1148 wrote to memory of 4876	1148	Installer.exe	74
PID 4876 wrote to memory of 1188	4876	cmd.exe	76
PID 4876 wrote to memory of 1188	4876	cmd.exe	76
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 4620	1148	Installer.exe	78
PID 1148 wrote to memory of 420	1148	Installer.exe	79
PID 1148 wrote to memory of 420	1148	Installer.exe	79
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80
PID 1148 wrote to memory of 1468	1148	Installer.exe	80

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1780 --field-trial-handle=1784,i,15444519698548683795,254035533525946467,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4620
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --mojo-platform-channel-handle=2728 --field-trial-handle=1784,i,15444519698548683795,254035533525946467,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:420
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2936 --field-trial-handle=1784,i,15444519698548683795,254035533525946467,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --mojo-platform-channel-handle=3148 --field-trial-handle=1784,i,15444519698548683795,254035533525946467,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:3028
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3436 --field-trial-handle=1784,i,15444519698548683795,254035533525946467,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\game\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
f719bc7ad2949508b6717c3152e058d5

SHA1
3b6f4a1e1adc8a3841ca95c7129c6bf9b38d9b22

SHA256
fab33e5fe5f853a31aa7186aa592a395071ce0bd634b7cee2672321dd93eea4b

SHA512
58af718a9dbd881844785d4b8e621d03da8586b0924b1846294f87de703436cf9bc82e223ef125ef3d23af46f5ba09a63c438e50ccb1fc193a6fc237fb14b768

Download Submit
C:\Users\Admin\AppData\Roaming\game\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
6971c2d8d53904a0bbee443d5dd9b833

SHA1
39204593a0a55a9617b3a0a6f4d2795617230a24

SHA256
21d93fa3b32ef22414bd4f67ef5ff1cb9cc2e22f5441552d8abb64708699619d

SHA512
202bb2bc922bf7651dd8f92b5822521ef57b7aa222870a05478cb6a90611b18a6f5ff177e00b41d68601fc70355af762451be28d63d914239b8cb1dd541ce639

Download Submit
C:\Users\Admin\AppData\Roaming\game\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
08d77c2c58d82bef9acf087cf7f81fa5

SHA1
f2878e42d781f12d66ecd281b096887317c6c314

SHA256
29a841252338d02a3bc71da1c243269302dd8d03e0cc9bfa199ac417a98d7c95

SHA512
cc5446113af77f5ab353b279eb43bde1a66649ad896476bea91287610460fec6774260179bd9467e81405ef0fcbe2b5f63680816befebbfcba6c5d0085ea3e2b

Download Submit
C:\Users\Admin\AppData\Roaming\game\Network\Network Persistent State

Filesize
1KB

MD5
a583fe1597e55bf78a5cb00942cf45c4

SHA1
783595de0fe3dd2d04d3653e571e1a715ffbed53

SHA256
6d2490fd899bee21d9a9e6a78c6074f6ada3d2b8ec8bb28467f7b253a30ed54d

SHA512
dfde16dec68d998fd18134b1700d8db2cae6752ee3ccda087a718932feaca06ca3afddabb9fa8dd392a4383a8c11feaaede0771239b62b8c066ac311ca662eb0

Download Submit
C:\Users\Admin\AppData\Roaming\game\Network\Network Persistent State~RFe588e12.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\game\Network\TransportSecurity

Filesize
856B

MD5
9240b1729a8d8d948f207634be2c8e2a

SHA1
4052bc4d5f5592b15f08cbd0a921763ab282d12b

SHA256
e5bf9b40af3fa1e869adfafeb1e4d1be078cec6897cb15c89f5841a2c0008fca

SHA512
3c6c732be3433f1fa24520015df440ece95227b35b1ce342470eb99dfd1b97e7b04d87219e63fc427a5a8d3eeeb1cd80be68caeb7691e7932c838eadffdda2f0

Download Submit
C:\Users\Admin\AppData\Roaming\game\Network\TransportSecurity~RFe57f0f7.TMP

Filesize
856B

MD5
989891c496075ae602955cb0b77cbb84

SHA1
a97b5bdd4e6475709a8dbd1d8f121b6a0d667fa0

SHA256
3f9ab4c46b4b3bdacc69446feae2c32d867502e74e45a08107ef171b88cc6a15

SHA512
730232186c221f0870f0d7dda7522fdfd51b753bf8131fd2a66fab61a9c6d0100a934cc9939c54565cc7be8dd35645c70f9f7abc540aa50b976a4a8f680760da

Download Submit
C:\Users\Admin\AppData\Roaming\game\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
\Users\Admin\AppData\Local\Temp\105445be-640b-4c6f-bbe8-97d678e0e5dd.tmp.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
\Users\Admin\AppData\Local\Temp\8ff0d194-8bd6-496b-a3c0-0ca830ffa5b3.tmp.node

Filesize
1.8MB

MD5
beb8d911d40e8fe94770d9d341e0de11

SHA1
d24d31e5b44a4a80969e2a669fb9b0ed42cfd479

SHA256
ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7

SHA512
079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe

Download Submit
memory/1468-52-0x00007FFFBDD20000-0x00007FFFBDD21000-memory.dmp

Filesize
4KB

Download
memory/1468-53-0x00007FFFBF950000-0x00007FFFBF951000-memory.dmp

Filesize
4KB

Download
memory/3028-77-0x00007FFFBDFF0000-0x00007FFFBDFF1000-memory.dmp

Filesize
4KB

Download
memory/3028-196-0x000002B74DC60000-0x000002B74DD1F000-memory.dmp

Filesize
764KB

Download