eadcf660e731fd3de0a5a8bee2f2337e7d78438f4e9293d2c90d5e63a2d9368e

Resubmissions

26-07-2024 08:19

240726-j7ytkszeqd 3

07-05-2024 20:40

240507-zgaxtseg4v 10

23-04-2024 21:09

240423-zzq2rsca28 7

Analysis

max time kernel
6s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

158.3MB
MD5

ac686947988fb29c074489a28f32fb86
SHA1

4760635ba437216456a0633b41748a63aafdd748
SHA256

69f086ecb0e9b764462e3d62268194b2b9abc8e4492b6c5b38472e1b7897436d
SHA512

b77afc5775edcf3a66d0bc80024530b08c1ccf0adff9d24f66d71eabaedc415d276d6fb95f5c8ac654d3c7d19652b2a12e45f04e4c31c75763c9cb9cff7b15aa
SSDEEP

1572864:TULGtNWpvig2iH72GUrstdzcuo3tSONV9k9KDipAsKjUcX5j+BJwB/dlktdXQIAI:W12uI+

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Installer.exeInstaller.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	Installer.exe

Loads dropped DLL 2 IoCs

Processes:

Installer.exe

pid process

2876 Installer.exe
2876 Installer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

440 tasklist.exe

pid	process
2876	Installer.exe
2876	Installer.exe

pid	process
440	tasklist.exe

Modifies registry class 7 IoCs

Processes:

Installer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\discord-1226551158328262687	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\discord-1226551158328262687\URL Protocol	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\discord-1226551158328262687\ = "URL:discord-1226551158328262687"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\discord-1226551158328262687\shell\open\command	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\discord-1226551158328262687\shell	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\discord-1226551158328262687\shell\open	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\discord-1226551158328262687\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Installer.exe\" \"%1\""	Installer.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

tasklist.exeInstaller.exe

description	pid	process
Token: SeDebugPrivilege	440	tasklist.exe
Token: SeShutdownPrivilege	2876	Installer.exe
Token: SeCreatePagefilePrivilege	2876	Installer.exe
Token: SeShutdownPrivilege	2876	Installer.exe
Token: SeCreatePagefilePrivilege	2876	Installer.exe
Token: SeShutdownPrivilege	2876	Installer.exe
Token: SeCreatePagefilePrivilege	2876	Installer.exe
Token: SeShutdownPrivilege	2876	Installer.exe
Token: SeCreatePagefilePrivilege	2876	Installer.exe
Token: SeShutdownPrivilege	2876	Installer.exe
Token: SeCreatePagefilePrivilege	2876	Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Installer.execmd.exe

description	pid	process	target process
PID 2876 wrote to memory of 1576	2876	Installer.exe	cmd.exe
PID 2876 wrote to memory of 1576	2876	Installer.exe	cmd.exe
PID 1576 wrote to memory of 440	1576	cmd.exe	tasklist.exe
PID 1576 wrote to memory of 440	1576	cmd.exe	tasklist.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2800	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2608	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 2608	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe
PID 2876 wrote to memory of 4272	2876	Installer.exe	Installer.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1880 --field-trial-handle=1884,i,6774919349174147600,11911361070210208383,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --mojo-platform-channel-handle=2256 --field-trial-handle=1884,i,6774919349174147600,11911361070210208383,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2536 --field-trial-handle=1884,i,6774919349174147600,11911361070210208383,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
2⤵
- Checks computer location settings
PID:4272

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --mojo-platform-channel-handle=3528 --field-trial-handle=1884,i,6774919349174147600,11911361070210208383,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
PID:4416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x494
1⤵
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2f4055a7-fed0-4e9b-acb9-5aebe9b1dfaf.tmp.node

Filesize
154KB

MD5
b618595558e9f820af0b9ab0127fe12b

SHA1
d7c1a145b0e111c82cb2fff60f0ec32a7afc1f4e

SHA256
6948c0083facb97c14f947bb68c69a9956232039add4d1ea27f9c1b92b819876

SHA512
bec87b54298240582c6790c2f41ead3582c8a4ad80449f55ba34f0996e55e09e38e6f5d92a06f9a950ef42d68d09f53f6e0eac030e6ee20ddaeab1fde6a22ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5bc28e4-a76b-42ec-a25e-00bfcef2d7c0.tmp.node

Filesize
1.8MB

MD5
beb8d911d40e8fe94770d9d341e0de11

SHA1
d24d31e5b44a4a80969e2a669fb9b0ed42cfd479

SHA256
ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7

SHA512
079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\game\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
087a723bc2024e34ac647bee20afd673

SHA1
f9f9d6c08f1ce2874c01954a2679d6435c3d730e

SHA256
b7a28482599eaea2bde38ff209758dd1b126d16740ade61fcda1bddabfb1018c

SHA512
6aa8efc1231add5a80909ad54b2b223e62c1e94a3bc95598ac976baaedaf6e1f9deb615b44d57acd321140ac6c6f8f251f0095fd36cb1eb5cbb8ecab7dc479c7

Download Submit
C:\Users\Admin\AppData\Roaming\game\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
45584da996b328efc229d0786c7f518f

SHA1
c77f0f3f156b8d88622336b97a522b846ef66e8a

SHA256
cfac4d3dd919112170b3160be1a125f1f921a43dec0c184a16f7517d86457e71

SHA512
ae5417f77080551e9dd1b8b7d071a2ec4b636233147649ba7cfbe2fbe9536bc6a1b2913f21da8d38f35a424bdf9f4669f4f8bacd8b2939d3b5f14a9b5999ffa4

Download Submit
C:\Users\Admin\AppData\Roaming\game\Network\Network Persistent State

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Roaming\game\Network\Network Persistent State~RFe581edd.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\game\Network\TransportSecurity

Filesize
356B

MD5
73ce6ffe45997d8daf328a1be1f90dd6

SHA1
10a3225442193e8cd7b8aff8a9d5e6cd9c9719e4

SHA256
509b5c54cc8c96cf17ecb2a89a4f71d959fc00c7ab993305d38b2fbddef0667b

SHA512
82718629278ff4431ee6300c6b47302e50b8f4a64dc4b0bfd85bc801d017e206026b1aac3e95fe20fbb53481bc865e3f272c8500d5e3c0e7706683ad94c8d05b

Download Submit
C:\Users\Admin\AppData\Roaming\game\Network\TransportSecurity~RFe57d8eb.TMP

Filesize
356B

MD5
1c615467ca0bf800173dedad7bbfbed7

SHA1
1769cb4176850c5cb8ce33227533b647caccd648

SHA256
1f18c1b73c101a76760d9fdba3541e9c69ae22722b791abba638ce814e4b4ce3

SHA512
91669505fc657eb28ae7bbd8b04870cf2ac8eeb15febc2252e8722b107b53186621bab7ee8cfb200b5ed2ee6e7827ae3ae76359f701225e7098f5131a483c31c

Download Submit
C:\Users\Admin\AppData\Roaming\game\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/4272-58-0x00007FFFA34D0000-0x00007FFFA34D1000-memory.dmp

Filesize
4KB

Download
memory/4272-57-0x00007FFFA4760000-0x00007FFFA4761000-memory.dmp

Filesize
4KB

Download
memory/4416-122-0x00007FFFA34D0000-0x00007FFFA34D1000-memory.dmp

Filesize
4KB

Download