06f975779deac30ebbebcfed369df532b7f3ee4eec43ef847949a08b2687add5

Analysis

max time kernel
19s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-06-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

12.5MB
MD5

3b47c5209ce837f6b6eefce671594631
SHA1

7435ab77606c077793b7554cf8665c091fad7405
SHA256

06f975779deac30ebbebcfed369df532b7f3ee4eec43ef847949a08b2687add5
SHA512

f954a3569cd14bb125e4a15b177de3983ea7bb4b091901511d0e16ce4a0dcdffb01f4c784248fa82e25d0985b7a295541a16af520fc719f1749efb0292ea9c86
SSDEEP

196608:k6lF1lYbrcORXv9mnzJFuXbhgthzm/l5HYuVpOqVTgic6lBSgvVgsflABGr:ksYbrcMf9m9grijOjYuVpbgicCNvVr

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4176	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2956	Installer.exe
2956	Installer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinDbg	Installer.exe
File created	C:\Windows\WinDbg\WinDbg.pe	Installer.exe
File opened for modification	C:\Windows\WinDbg\WinDbg.pe	Installer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2956	Installer.exe
2956	Installer.exe
2956	Installer.exe
2956	Installer.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 1196	2956	Installer.exe	74
PID 2956 wrote to memory of 1196	2956	Installer.exe	74
PID 2956 wrote to memory of 3152	2956	Installer.exe	75
PID 2956 wrote to memory of 3152	2956	Installer.exe	75
PID 2956 wrote to memory of 3048	2956	Installer.exe	76
PID 2956 wrote to memory of 3048	2956	Installer.exe	76
PID 2956 wrote to memory of 3952	2956	Installer.exe	77
PID 2956 wrote to memory of 3952	2956	Installer.exe	77
PID 2956 wrote to memory of 2928	2956	Installer.exe	78
PID 2956 wrote to memory of 2928	2956	Installer.exe	78
PID 2956 wrote to memory of 720	2956	Installer.exe	79
PID 2956 wrote to memory of 720	2956	Installer.exe	79
PID 2956 wrote to memory of 1528	2956	Installer.exe	80
PID 2956 wrote to memory of 1528	2956	Installer.exe	80
PID 2956 wrote to memory of 4184	2956	Installer.exe	81
PID 2956 wrote to memory of 4184	2956	Installer.exe	81
PID 2956 wrote to memory of 32	2956	Installer.exe	82
PID 2956 wrote to memory of 32	2956	Installer.exe	82
PID 2956 wrote to memory of 236	2956	Installer.exe	83
PID 2956 wrote to memory of 236	2956	Installer.exe	83
PID 2956 wrote to memory of 204	2956	Installer.exe	84
PID 2956 wrote to memory of 204	2956	Installer.exe	84
PID 2956 wrote to memory of 3392	2956	Installer.exe	85
PID 2956 wrote to memory of 3392	2956	Installer.exe	85
PID 2956 wrote to memory of 2156	2956	Installer.exe	86
PID 2956 wrote to memory of 2156	2956	Installer.exe	86
PID 2956 wrote to memory of 2176	2956	Installer.exe	87
PID 2956 wrote to memory of 2176	2956	Installer.exe	87
PID 2956 wrote to memory of 4780	2956	Installer.exe	88
PID 2956 wrote to memory of 4780	2956	Installer.exe	88
PID 2956 wrote to memory of 4852	2956	Installer.exe	89
PID 2956 wrote to memory of 4852	2956	Installer.exe	89
PID 2956 wrote to memory of 4636	2956	Installer.exe	90
PID 2956 wrote to memory of 4636	2956	Installer.exe	90
PID 4636 wrote to memory of 4176	4636	cmd.exe	91
PID 4636 wrote to memory of 4176	4636	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\Prefetch\Installer.*.pf"
  2⤵
  PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\Prefetch\CMD.*.pf"
  2⤵
  PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\Prefetch\CONHOST.*.pf"
  2⤵
  PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\Prefetch\DLLHOST.*.pf"
  2⤵
  PID:3952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\Prefetch\RUNDLL32.*.pf"
  2⤵
  PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\vcsif.intel64.dll"
  2⤵
  PID:720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\vaf.intel64.dll"
  2⤵
  PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\vsif.intel64.dll"
  2⤵
  PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\gid.intel64.dll"
  2⤵
  PID:32
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\winboot.dll"
  2⤵
  PID:236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\far.slog"
  2⤵
  PID:204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\faw.slog"
  2⤵
  PID:3392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\faws.slog"
  2⤵
  PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\fawb.slog"
  2⤵
  PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q "C:\Windows\fai.slog"
  2⤵
  PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start rundll32 "C:\Windows\WinDbg\WinDbg.pe",ENTRY
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\system32\rundll32.exe
    rundll32 "C:\Windows\WinDbg\WinDbg.pe",ENTRY
    3⤵
    - Loads dropped DLL
    PID:4176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WinDbg\WinDbg.pe

Filesize
14.2MB

MD5
0ca47860db3d52644dd8340f4d4b718a

SHA1
dc5c7a309d80f15d1f1b920a0b69258bf37aafa0

SHA256
9cfd3a8e418ea91510bec78c514189767215a1ba4d231100b084510f1c99750b

SHA512
7ef769c34f1e527a2cd26c033b3e9890c0f2e2bb920880a6f7e266f0886035220321e7d89a645d885bbd069ce630ba15997417b81cb411dcbf57d08561392753

Download Submit
memory/2956-0-0x00007FF7F80DC000-0x00007FF7F8827000-memory.dmp

Filesize
7.3MB

Download
memory/2956-1-0x00007FFF47090000-0x00007FFF47092000-memory.dmp

Filesize
8KB

Download
memory/2956-2-0x00007FF7F8080000-0x00007FF7F949D000-memory.dmp

Filesize
20.1MB

Download
memory/2956-3-0x00007FFF470A0000-0x00007FFF470A2000-memory.dmp

Filesize
8KB

Download
memory/2956-8-0x00007FF7F8080000-0x00007FF7F949D000-memory.dmp

Filesize
20.1MB

Download
memory/2956-16-0x00007FF7F80DC000-0x00007FF7F8827000-memory.dmp

Filesize
7.3MB

Download
memory/2956-17-0x00007FF7F8080000-0x00007FF7F949D000-memory.dmp

Filesize
20.1MB

Download