Overview

overview

9

Static

static

7

InstaSLAYER.exe

windows11-21h2-x64

9

Analysis

  • max time kernel
    90s
  • max time network
    101s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-05-2024 18:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    InstaSLAYER.exe

  • Size

    615.1MB

  • MD5

    796c4e013accc1d47e263f2438248e5e

  • SHA1

    dbca3bb74c9715a4b21259fa644a39a59bb438a7

  • SHA256

    e934ef0b1bad86d0a8d2a08a90b64b309404b2983649f8e34d400704ce8c65c0

  • SHA512

    5ae71ea3ac4f15c6143a424e1e2491294e5f2e5508ca4c05b6fa2676634140ec03e27b698ab0378726b421369e36988f56e016e145ba10b2d517577a00de926c

  • SSDEEP

    49152:lNjqYcOatzfsFfG/oDx4tDhdLDG15f9pTo0trQyYxQw:lNjFcOaxYG/M43HA5fVt8Q

Score
9/10
evasionexecutionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 13 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\InstaSLAYER.exe
    "C:\Users\Admin\AppData\Local\Temp\InstaSLAYER.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3560
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5032
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s31s.0.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2328
      • C:\ProgramData\software\ULEXPY.exe
        "C:\ProgramData\software\ULEXPY.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1444
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3748
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 688
          4⤵
          • Program crash
          PID:2264
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2896 -ip 2896
    1⤵
      PID:1872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d0c46cad6c0778401e21910bd6b56b70

      SHA1

      7be418951ea96326aca445b8dfe449b2bfa0dca6

      SHA256

      9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

      SHA512

      057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      23fcb142c030dca59a172887461840df

      SHA1

      02c893664836f80d9a2713f03df2cf0594e15238

      SHA256

      0dfef1f39fed6e748d728b90bb2885969a561827f7a81870abb381037b98b4d3

      SHA512

      1b987ac684135075950cd4a04b7ada2f82ca5ee6053aa77b7106c492121dc720ea886b85f8228e8227d23f78a33d77880408c09ddedca060837297e57115bac5

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      b6eeb9a1faf810dae514215eabcf5a77

      SHA1

      759417bd2cb4ce97989c7a1ba7e7a79a816e4692

      SHA256

      752d98fa06f41e05e41bf116a5de1fed1ab26c34232ec0724895479032561e77

      SHA512

      b91812ca1901f286240ecbf1687afe5c6af77031efdd646d0eeea0f8a4fc2dfd1197e67a72c478992f2a59179ac0d3f5a451a1f0285a7debb1e8757e3f513980

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvu01uod.00x.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\s31s.0.bat
      Filesize

      174B

      MD5

      57c41bba0d22ea5dd6de8d1191e9dfe3

      SHA1

      bb2994ad802cc3a839862c4f73b2d4e5c1808a02

      SHA256

      d412ceabf25ca09c5a7436b228a86973f7515ec80c78f2e36105f2e7940b5f6c

      SHA512

      890cec6a9631d62b5e424e88851dc3f61cd13be3c5bc32fcb94d8a2d72c4cc53419bcda3b0ee86c74455c937004978b9c2be5644483f1ad4c12326ac3cba3e1a

      Download Submit
    • memory/1444-133-0x0000000007900000-0x0000000007915000-memory.dmp
      Filesize

      84KB

      Download
    • memory/1444-92-0x0000000005BA0000-0x0000000005EF7000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1444-110-0x0000000006390000-0x00000000063DC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1444-123-0x000000006FB40000-0x000000006FB8C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1444-132-0x00000000078C0000-0x00000000078D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2896-91-0x0000000000070000-0x00000000006F3000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2896-112-0x0000000000070000-0x00000000006F3000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2896-87-0x0000000000070000-0x00000000006F3000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2896-90-0x0000000000070000-0x00000000006F3000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2896-89-0x0000000000070000-0x00000000006F3000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2896-88-0x0000000000070000-0x00000000006F3000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3560-7-0x000000007390E000-0x000000007390F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3560-11-0x0000000073900000-0x00000000740B1000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3560-23-0x0000000005F10000-0x0000000006267000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3560-71-0x0000000073900000-0x00000000740B1000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3560-65-0x0000000007990000-0x000000000799E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3560-10-0x00000000055F0000-0x0000000005C1A000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3560-13-0x0000000073900000-0x00000000740B1000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3560-67-0x0000000007AA0000-0x0000000007ABA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3560-50-0x00000000702B0000-0x00000000702FC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3560-8-0x0000000004F50000-0x0000000004F86000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3748-122-0x0000000007030000-0x00000000070D4000-memory.dmp
      Filesize

      656KB

      Download
    • memory/3748-113-0x000000006FB40000-0x000000006FB8C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3952-0-0x00000000003D0000-0x0000000000A53000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3952-4-0x00000000003D0000-0x0000000000A53000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3952-5-0x00000000003D0000-0x0000000000A53000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3952-2-0x00000000003D0000-0x0000000000A53000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3952-82-0x00000000003D0000-0x0000000000A53000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3952-3-0x00000000003D0000-0x0000000000A53000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3952-1-0x0000000077A16000-0x0000000077A18000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3952-6-0x00000000003D0000-0x0000000000A53000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/5032-14-0x0000000073900000-0x00000000740B1000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/5032-68-0x00000000077C0000-0x00000000077C8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/5032-66-0x00000000076D0000-0x00000000076E5000-memory.dmp
      Filesize

      84KB

      Download
    • memory/5032-64-0x0000000007690000-0x00000000076A1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/5032-63-0x0000000007710000-0x00000000077A6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/5032-77-0x0000000073900000-0x00000000740B1000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/5032-62-0x0000000007500000-0x000000000750A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/5032-61-0x0000000007480000-0x000000000749A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/5032-60-0x0000000007AC0000-0x000000000813A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/5032-51-0x0000000007160000-0x0000000007204000-memory.dmp
      Filesize

      656KB

      Download
    • memory/5032-37-0x0000000006710000-0x0000000006744000-memory.dmp
      Filesize

      208KB

      Download
    • memory/5032-39-0x0000000073900000-0x00000000740B1000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/5032-49-0x0000000073900000-0x00000000740B1000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/5032-48-0x00000000066F0000-0x000000000670E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/5032-38-0x00000000702B0000-0x00000000702FC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/5032-35-0x0000000006150000-0x000000000616E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/5032-36-0x00000000061E0000-0x000000000622C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/5032-16-0x0000000005BA0000-0x0000000005C06000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5032-17-0x0000000005C10000-0x0000000005C76000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5032-15-0x0000000005380000-0x00000000053A2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/5032-12-0x0000000073900000-0x00000000740B1000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/5032-9-0x0000000073900000-0x00000000740B1000-memory.dmp
      Filesize

      7.7MB

      Download