525b73a880b13714a8925897d3399673a29ab0fa97eb8b2c8ec354719df37465

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

152.8MB
MD5

04381c4cf5aec314ce1d6a1a38590ade
SHA1

a78a0e9bc8f002d4fc53428e5b2c6ec346fa3dac
SHA256

6428aeaf90c857ce6c77f39f2c5c2186e7d54a5909657bcf953ffd1b344e501b
SHA512

2f29d7e76550f1e284cae7acd660b108495c6456e2abb398a49d036ac50399dc734bcff096f79abcc06002b5a01aff508c8239e843aefcdfca3e700a35933aec
SSDEEP

1572864:CLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:CypCmJctBjj2+Jv

Score

7^/10

execution

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3468	Installer.exe
3468	Installer.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4988	powershell.exe
4984	powershell.exe
2664	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4988	powershell.exe
4984	powershell.exe
2664	powershell.exe
1620	Installer.exe
1620	Installer.exe
4988	powershell.exe
2664	powershell.exe
4984	powershell.exe
2244	Installer.exe
2244	Installer.exe
2244	Installer.exe
2244	Installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3468	Installer.exe
Token: SeCreatePagefilePrivilege	3468	Installer.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeIncreaseQuotaPrivilege	4988	powershell.exe
Token: SeSecurityPrivilege	4988	powershell.exe
Token: SeTakeOwnershipPrivilege	4988	powershell.exe
Token: SeLoadDriverPrivilege	4988	powershell.exe
Token: SeSystemProfilePrivilege	4988	powershell.exe
Token: SeSystemtimePrivilege	4988	powershell.exe
Token: SeProfSingleProcessPrivilege	4988	powershell.exe
Token: SeIncBasePriorityPrivilege	4988	powershell.exe
Token: SeCreatePagefilePrivilege	4988	powershell.exe
Token: SeBackupPrivilege	4988	powershell.exe
Token: SeRestorePrivilege	4988	powershell.exe
Token: SeShutdownPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeSystemEnvironmentPrivilege	4988	powershell.exe
Token: SeRemoteShutdownPrivilege	4988	powershell.exe
Token: SeUndockPrivilege	4988	powershell.exe
Token: SeManageVolumePrivilege	4988	powershell.exe
Token: 33	4988	powershell.exe
Token: 34	4988	powershell.exe
Token: 35	4988	powershell.exe
Token: 36	4988	powershell.exe
Token: SeIncreaseQuotaPrivilege	2664	powershell.exe
Token: SeSecurityPrivilege	2664	powershell.exe
Token: SeTakeOwnershipPrivilege	2664	powershell.exe
Token: SeLoadDriverPrivilege	2664	powershell.exe
Token: SeSystemProfilePrivilege	2664	powershell.exe
Token: SeSystemtimePrivilege	2664	powershell.exe
Token: SeProfSingleProcessPrivilege	2664	powershell.exe
Token: SeIncBasePriorityPrivilege	2664	powershell.exe
Token: SeCreatePagefilePrivilege	2664	powershell.exe
Token: SeBackupPrivilege	2664	powershell.exe
Token: SeRestorePrivilege	2664	powershell.exe
Token: SeShutdownPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeSystemEnvironmentPrivilege	2664	powershell.exe
Token: SeRemoteShutdownPrivilege	2664	powershell.exe
Token: SeUndockPrivilege	2664	powershell.exe
Token: SeManageVolumePrivilege	2664	powershell.exe
Token: 33	2664	powershell.exe
Token: 34	2664	powershell.exe
Token: 35	2664	powershell.exe
Token: 36	2664	powershell.exe
Token: SeShutdownPrivilege	3468	Installer.exe
Token: SeCreatePagefilePrivilege	3468	Installer.exe
Token: SeShutdownPrivilege	3468	Installer.exe
Token: SeCreatePagefilePrivilege	3468	Installer.exe
Token: SeShutdownPrivilege	3468	Installer.exe
Token: SeCreatePagefilePrivilege	3468	Installer.exe
Token: SeShutdownPrivilege	3468	Installer.exe
Token: SeCreatePagefilePrivilege	3468	Installer.exe
Token: SeShutdownPrivilege	3468	Installer.exe
Token: SeCreatePagefilePrivilege	3468	Installer.exe
Token: SeShutdownPrivilege	3468	Installer.exe
Token: SeCreatePagefilePrivilege	3468	Installer.exe
Token: SeShutdownPrivilege	3468	Installer.exe
Token: SeCreatePagefilePrivilege	3468	Installer.exe
Token: SeShutdownPrivilege	3468	Installer.exe
Token: SeCreatePagefilePrivilege	3468	Installer.exe
Token: SeShutdownPrivilege	3468	Installer.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 1384	3468	Installer.exe	83
PID 3468 wrote to memory of 1384	3468	Installer.exe	83
PID 1384 wrote to memory of 2268	1384	cmd.exe	85
PID 1384 wrote to memory of 2268	1384	cmd.exe	85
PID 3468 wrote to memory of 4512	3468	Installer.exe	86
PID 3468 wrote to memory of 4512	3468	Installer.exe	86
PID 4512 wrote to memory of 2912	4512	cmd.exe	88
PID 4512 wrote to memory of 2912	4512	cmd.exe	88
PID 3468 wrote to memory of 1292	3468	Installer.exe	89
PID 3468 wrote to memory of 1292	3468	Installer.exe	89
PID 3468 wrote to memory of 4988	3468	Installer.exe	91
PID 3468 wrote to memory of 4988	3468	Installer.exe	91
PID 3468 wrote to memory of 2664	3468	Installer.exe	92
PID 3468 wrote to memory of 2664	3468	Installer.exe	92
PID 3468 wrote to memory of 4984	3468	Installer.exe	94
PID 3468 wrote to memory of 4984	3468	Installer.exe	94
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 2020	3468	Installer.exe	97
PID 3468 wrote to memory of 1620	3468	Installer.exe	98
PID 3468 wrote to memory of 1620	3468	Installer.exe	98
PID 3468 wrote to memory of 2424	3468	Installer.exe	100
PID 3468 wrote to memory of 2424	3468	Installer.exe	100
PID 2424 wrote to memory of 3968	2424	cmd.exe	102
PID 2424 wrote to memory of 3968	2424	cmd.exe	102
PID 3468 wrote to memory of 2244	3468	Installer.exe	109
PID 3468 wrote to memory of 2244	3468	Installer.exe	109

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\system32\mshta.exe
    mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()"
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=1848,i,2096662348297264894,15562929407887049194,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --mojo-platform-channel-handle=2108 --field-trial-handle=1848,i,2096662348297264894,15562929407887049194,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:3968
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 --field-trial-handle=1848,i,2096662348297264894,15562929407887049194,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
50c591ec2a1e49297738ea9f28e3ad23

SHA1
137e36b4c7c40900138a6bcf8cf5a3cce4d142af

SHA256
7648d785bda8cef95176c70711418cf3f18e065f7710f2ef467884b4887d8447

SHA512
33b5fa32501855c2617a822a4e1a2c9b71f2cf27e1b896cf6e5a28473cfd5e6d126840ca1aa1f59ef32b0d0a82a2a95c94a9cc8b845367b61e65ec70d456deec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\37242131-f231-4163-a5c9-89cec7347a04.tmp.node

Filesize
1.8MB

MD5
946504b73f6dd7e9561ddbf7cf9f86a0

SHA1
df3594655751532f48ef8852c68a283920dea924

SHA256
0884e70e67ffa8125061402abf0171db9d5c23b25da56bc69a29f175465eb582

SHA512
16ff17057fade38843a3727e37c7d4c11ab5dadc5aa21435aac2a6e12151a6c53b3d8a21bb6a180100e68a7009a95faee907d8e59ed0c2e47bfd394aa11ce854

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbe4z4p1.bwg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c740f311-c589-473f-87c8-8fc9d80dfe42.tmp.node

Filesize
131KB

MD5
d11abe87367d1e7fc0df824e0ae441fd

SHA1
1276b0ff660cacb19d805cc191578169ef31dd55

SHA256
04f1606a0f35aef7043fb696a4d80fdcc19119f969def90df3e878ec2a2ed9a0

SHA512
2766368637edc45b59861bfa1d2acbd1b699dc1fd11ed77a5d83d051b335583e7e8d65949ab0cbae8fba4e2dad08d7dd78f5e122a089d65145ecefec6c889d3f

Download Submit
memory/2244-71-0x00000229B7DF0000-0x00000229B7DF1000-memory.dmp

Filesize
4KB

Download
memory/2244-76-0x00000229B7DF0000-0x00000229B7DF1000-memory.dmp

Filesize
4KB

Download
memory/2244-77-0x00000229B7DF0000-0x00000229B7DF1000-memory.dmp

Filesize
4KB

Download
memory/2244-65-0x00000229B7DF0000-0x00000229B7DF1000-memory.dmp

Filesize
4KB

Download
memory/2244-66-0x00000229B7DF0000-0x00000229B7DF1000-memory.dmp

Filesize
4KB

Download
memory/2244-67-0x00000229B7DF0000-0x00000229B7DF1000-memory.dmp

Filesize
4KB

Download
memory/2244-72-0x00000229B7DF0000-0x00000229B7DF1000-memory.dmp

Filesize
4KB

Download
memory/2244-73-0x00000229B7DF0000-0x00000229B7DF1000-memory.dmp

Filesize
4KB

Download
memory/2244-74-0x00000229B7DF0000-0x00000229B7DF1000-memory.dmp

Filesize
4KB

Download
memory/2244-75-0x00000229B7DF0000-0x00000229B7DF1000-memory.dmp

Filesize
4KB

Download
memory/2664-43-0x00000233300E0000-0x000002333010A000-memory.dmp

Filesize
168KB

Download
memory/2664-44-0x00000233300E0000-0x0000023330104000-memory.dmp

Filesize
144KB

Download
memory/4984-41-0x000001D573590000-0x000001D5735D4000-memory.dmp

Filesize
272KB

Download
memory/4988-22-0x0000021FC7390000-0x0000021FC73B2000-memory.dmp

Filesize
136KB

Download
memory/4988-42-0x0000021FC9AF0000-0x0000021FC9B66000-memory.dmp

Filesize
472KB

Download