f75fe37a3ed52d29bbb3bd6f5ffba37a0b9357bbff153dc6df5c5e72b0b98f32

Resubmissions

07/06/2024, 17:13

240607-vrtqgacd85 7

07/06/2024, 16:22

240607-tvl95aca32 7

Analysis

max time kernel
7s
max time network
134s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
07/06/2024, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

152.8MB
MD5

04381c4cf5aec314ce1d6a1a38590ade
SHA1

a78a0e9bc8f002d4fc53428e5b2c6ec346fa3dac
SHA256

6428aeaf90c857ce6c77f39f2c5c2186e7d54a5909657bcf953ffd1b344e501b
SHA512

2f29d7e76550f1e284cae7acd660b108495c6456e2abb398a49d036ac50399dc734bcff096f79abcc06002b5a01aff508c8239e843aefcdfca3e700a35933aec
SSDEEP

1572864:CLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:CypCmJctBjj2+Jv

Score

7^/10

execution

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
496	Installer.exe
496	Installer.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
2	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1212	powershell.exe
1624	powershell.exe
2248	powershell.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4104	tasklist.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 496 wrote to memory of 4676	496	Installer.exe	80
PID 496 wrote to memory of 4676	496	Installer.exe	80
PID 4676 wrote to memory of 2328	4676	cmd.exe	82
PID 4676 wrote to memory of 2328	4676	cmd.exe	82
PID 496 wrote to memory of 2088	496	Installer.exe	83
PID 496 wrote to memory of 2088	496	Installer.exe	83
PID 2088 wrote to memory of 4468	2088	cmd.exe	85
PID 2088 wrote to memory of 4468	2088	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\system32\mshta.exe
    mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()"
    3⤵
    PID:4468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1212
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 --field-trial-handle=1844,i,456213619498182405,1525644670011642773,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:3696
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --mojo-platform-channel-handle=2056 --field-trial-handle=1844,i,456213619498182405,1525644670011642773,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  PID:3084
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"
  2⤵
  PID:244
- - C:\Windows\system32\where.exe
    where /r . *.sqlite
    3⤵
    PID:344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1592
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
  2⤵
  PID:4088
- - C:\Windows\system32\where.exe
    where /r . cookies.sqlite
    3⤵
    PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
918925b4ffb522c4188485a5e84ab6ed

SHA1
f53ee7bacfae671d898075778f668cbf727c5d5e

SHA256
18d5722b4bdd546da121b4c8756096755cab8cb7c40126d93644910d9292f343

SHA512
82d4b87cc804c393a5c812a4dc327743ae928a44f8fd52902410ba43dfae738254e94437b0482c86a93dea416fcb87a34ed892f8541c7508545b3c98dfd4d8ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
0254494a4c89bf8f623066957ccb7ea1

SHA1
0a31bf0f80c2e5caaf36fdf4266b72379cfb3751

SHA256
ffda9233d24b63e14924cddc16d3885111c7cf09abe840547c0a266c2000687f

SHA512
8f8c04122ae09f4a544d482eb72c30fc6d1ae9840e4247eb9e7a5cbe6e912fbff9132afc78974509923c24c30a8049199d43d83aba49b8a66ab78316546673bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dd673c4-d1bf-4518-b160-4e8aa842c2b6.tmp.node

Filesize
131KB

MD5
38f9fda9da740b500ac6a6889b13e132

SHA1
26773a72ae2f08161d3c9b02659987168787bdd2

SHA256
342efabc9da2df0de7ebaa56994a82778499faff89d1ac0c494acc8744392925

SHA512
083b25a518d374b6a655d2f46cb8e4fb3af7779cade698afc8cdad38712cc099bcfb23c99a91be468b82f07e6ff3bc7cefc6fb9c726a28c63056b5baa9be5837

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e31cda1-cd4e-473d-aa3e-b71d1a4275ba.tmp.node

Filesize
1.8MB

MD5
45b843453d5ac2de9a7a9f4e7171e25e

SHA1
081d835914cbedd5dcd6fab32cfdc5078f0ac8b1

SHA256
cddb5d76e230a858b03d9cd248a5df004136cb1cec67ae4f630b2452fc93d4b7

SHA512
6c9d6d51b8590baec1d4a929198b79e0e914f4cb7933bd5986bc03bff7432abb864b0497d9b2dd9d1135d48e2502b09e59426e89898980574a15e65a6e0cb4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xvyy3sgv.40b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1624-29-0x00000285A6C30000-0x00000285A6C52000-memory.dmp

Filesize
136KB

Download
memory/2248-38-0x0000025C416C0000-0x0000025C41706000-memory.dmp

Filesize
280KB

Download
memory/2248-42-0x0000025C41530000-0x0000025C41554000-memory.dmp

Filesize
144KB

Download
memory/2248-41-0x0000025C41530000-0x0000025C4155A000-memory.dmp

Filesize
168KB

Download