46e1f4257b5fbfbfbdcdb11eeafa0b91893385cf28972eb672ffc9fe906175ab

Resubmissions

28/07/2024, 17:32

240728-v397layfmg 7

28/07/2024, 17:11

240728-vqcqkayakd 7

11/07/2024, 10:44

240711-mstg4avhlf 7

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

152.8MB
MD5

fda6602339a82085bb78a3b5342d699d
SHA1

8d819ae678d45c0c7c096d1fde2462c68eea8a56
SHA256

ad285800d276e0aaa1c9810d54429352214d0c8b219ac7da2bb646953b112fcd
SHA512

6015ec2ce05dd551e2267417111610dc982e7270542dcaed6f44acbb6245b7d7c239196c853a3763e7acaaa9a158244dde43cd1065c4a4e4be1505b6aa869a2c
SSDEEP

1572864:yLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:yypCmJctBjj2+Jv

Score

7^/10

execution spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4604	Installer.exe
4604	Installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ipinfo.io
15	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4004	powershell.exe
1152	powershell.exe
1960	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Installer.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2372	tasklist.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4004	powershell.exe
1960	powershell.exe
3144	Installer.exe
3144	Installer.exe
1152	powershell.exe
4004	powershell.exe
1960	powershell.exe
1152	powershell.exe
516	Installer.exe
516	Installer.exe
516	Installer.exe
516	Installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4604	Installer.exe
Token: SeCreatePagefilePrivilege	4604	Installer.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeIncreaseQuotaPrivilege	1152	powershell.exe
Token: SeSecurityPrivilege	1152	powershell.exe
Token: SeTakeOwnershipPrivilege	1152	powershell.exe
Token: SeLoadDriverPrivilege	1152	powershell.exe
Token: SeSystemProfilePrivilege	1152	powershell.exe
Token: SeSystemtimePrivilege	1152	powershell.exe
Token: SeProfSingleProcessPrivilege	1152	powershell.exe
Token: SeIncBasePriorityPrivilege	1152	powershell.exe
Token: SeCreatePagefilePrivilege	1152	powershell.exe
Token: SeBackupPrivilege	1152	powershell.exe
Token: SeRestorePrivilege	1152	powershell.exe
Token: SeShutdownPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeSystemEnvironmentPrivilege	1152	powershell.exe
Token: SeRemoteShutdownPrivilege	1152	powershell.exe
Token: SeUndockPrivilege	1152	powershell.exe
Token: SeManageVolumePrivilege	1152	powershell.exe
Token: 33	1152	powershell.exe
Token: 34	1152	powershell.exe
Token: 35	1152	powershell.exe
Token: 36	1152	powershell.exe
Token: SeIncreaseQuotaPrivilege	4004	powershell.exe
Token: SeSecurityPrivilege	4004	powershell.exe
Token: SeTakeOwnershipPrivilege	4004	powershell.exe
Token: SeLoadDriverPrivilege	4004	powershell.exe
Token: SeSystemProfilePrivilege	4004	powershell.exe
Token: SeSystemtimePrivilege	4004	powershell.exe
Token: SeProfSingleProcessPrivilege	4004	powershell.exe
Token: SeIncBasePriorityPrivilege	4004	powershell.exe
Token: SeCreatePagefilePrivilege	4004	powershell.exe
Token: SeBackupPrivilege	4004	powershell.exe
Token: SeRestorePrivilege	4004	powershell.exe
Token: SeShutdownPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeSystemEnvironmentPrivilege	4004	powershell.exe
Token: SeRemoteShutdownPrivilege	4004	powershell.exe
Token: SeUndockPrivilege	4004	powershell.exe
Token: SeManageVolumePrivilege	4004	powershell.exe
Token: 33	4004	powershell.exe
Token: 34	4004	powershell.exe
Token: 35	4004	powershell.exe
Token: 36	4004	powershell.exe
Token: SeShutdownPrivilege	4604	Installer.exe
Token: SeCreatePagefilePrivilege	4604	Installer.exe
Token: SeShutdownPrivilege	4604	Installer.exe
Token: SeCreatePagefilePrivilege	4604	Installer.exe
Token: SeDebugPrivilege	2372	tasklist.exe
Token: SeShutdownPrivilege	4604	Installer.exe
Token: SeCreatePagefilePrivilege	4604	Installer.exe
Token: SeShutdownPrivilege	4604	Installer.exe
Token: SeCreatePagefilePrivilege	4604	Installer.exe
Token: SeShutdownPrivilege	4604	Installer.exe
Token: SeCreatePagefilePrivilege	4604	Installer.exe
Token: SeShutdownPrivilege	4604	Installer.exe
Token: SeCreatePagefilePrivilege	4604	Installer.exe
Token: SeShutdownPrivilege	4604	Installer.exe
Token: SeCreatePagefilePrivilege	4604	Installer.exe
Token: SeShutdownPrivilege	4604	Installer.exe
Token: SeCreatePagefilePrivilege	4604	Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 1756	4604	Installer.exe	84
PID 4604 wrote to memory of 1756	4604	Installer.exe	84
PID 1756 wrote to memory of 380	1756	cmd.exe	86
PID 1756 wrote to memory of 380	1756	cmd.exe	86
PID 4604 wrote to memory of 4444	4604	Installer.exe	87
PID 4604 wrote to memory of 4444	4604	Installer.exe	87
PID 4444 wrote to memory of 3872	4444	cmd.exe	89
PID 4444 wrote to memory of 3872	4444	cmd.exe	89
PID 4604 wrote to memory of 4264	4604	Installer.exe	90
PID 4604 wrote to memory of 4264	4604	Installer.exe	90
PID 4604 wrote to memory of 1152	4604	Installer.exe	92
PID 4604 wrote to memory of 1152	4604	Installer.exe	92
PID 4604 wrote to memory of 4004	4604	Installer.exe	93
PID 4604 wrote to memory of 4004	4604	Installer.exe	93
PID 4604 wrote to memory of 1960	4604	Installer.exe	94
PID 4604 wrote to memory of 1960	4604	Installer.exe	94
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 400	4604	Installer.exe	97
PID 4604 wrote to memory of 3144	4604	Installer.exe	99
PID 4604 wrote to memory of 3144	4604	Installer.exe	99
PID 4604 wrote to memory of 3068	4604	Installer.exe	101
PID 4604 wrote to memory of 3068	4604	Installer.exe	101
PID 3068 wrote to memory of 2156	3068	cmd.exe	103
PID 3068 wrote to memory of 2156	3068	cmd.exe	103
PID 4604 wrote to memory of 4192	4604	Installer.exe	104
PID 4604 wrote to memory of 4192	4604	Installer.exe	104
PID 4192 wrote to memory of 4912	4192	cmd.exe	106
PID 4192 wrote to memory of 4912	4192	cmd.exe	106
PID 4604 wrote to memory of 1864	4604	Installer.exe	107
PID 4604 wrote to memory of 1864	4604	Installer.exe	107
PID 1864 wrote to memory of 2372	1864	cmd.exe	109
PID 1864 wrote to memory of 2372	1864	cmd.exe	109
PID 4604 wrote to memory of 444	4604	Installer.exe	110
PID 4604 wrote to memory of 444	4604	Installer.exe	110
PID 444 wrote to memory of 2668	444	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\mshta.exe
    mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()"
    3⤵
    PID:3872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:4264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 --field-trial-handle=1880,i,334031844496546973,16563725839107546544,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:400
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --mojo-platform-channel-handle=2104 --field-trial-handle=1880,i,334031844496546973,16563725839107546544,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\system32\where.exe
    where /r . *.sqlite
    3⤵
    PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\system32\where.exe
    where /r . cookies.sqlite
    3⤵
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2496 --field-trial-handle=1880,i,334031844496546973,16563725839107546544,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
50c591ec2a1e49297738ea9f28e3ad23

SHA1
137e36b4c7c40900138a6bcf8cf5a3cce4d142af

SHA256
7648d785bda8cef95176c70711418cf3f18e065f7710f2ef467884b4887d8447

SHA512
33b5fa32501855c2617a822a4e1a2c9b71f2cf27e1b896cf6e5a28473cfd5e6d126840ca1aa1f59ef32b0d0a82a2a95c94a9cc8b845367b61e65ec70d456deec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\139bd2c0-b4ba-4383-9969-38fd105c5b9b.tmp.node

Filesize
131KB

MD5
ba32439d171757c11ab0ca8f4a51565f

SHA1
9e9510188c7da8f858665fa70c39c0fed3eb2248

SHA256
e6f8144d00aa5be457b5302cfe5b6bdb8a7af85c180671c0eac69e1b3ee54e20

SHA512
19293f32c8ca55a95a90c4f55c55e4aa25b385ff445d6665083430c1a78d86569b222dc710df1b2123dd8b7e751c6a36d927819dfd4dc9d45c2a5e0d1ea85260

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5r5e300.fry.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aed342fb-36bc-4f1a-b186-0363220f05d5.tmp.node

Filesize
1.8MB

MD5
fc3bf7f9df9056e23640d643bb6864cd

SHA1
253efe38a77772bde40b2e452731f040c42cbff5

SHA256
991f85856a7ef1937ce09d25704ad5617441ab3e901c455973fe3c521e409cb3

SHA512
f59cea9e78891faaeed67b89bff920379d5cd1edb665ac316eafbd5eecb44bc1458183944ba4dd5375fa16342fcbe6b6c6cd18bbd2b03654c339ea56924fe83e

Download Submit
memory/516-86-0x000001CC0E310000-0x000001CC0E311000-memory.dmp

Filesize
4KB

Download
memory/516-84-0x000001CC0E310000-0x000001CC0E311000-memory.dmp

Filesize
4KB

Download
memory/516-81-0x000001CC0E310000-0x000001CC0E311000-memory.dmp

Filesize
4KB

Download
memory/516-74-0x000001CC0E310000-0x000001CC0E311000-memory.dmp

Filesize
4KB

Download
memory/516-75-0x000001CC0E310000-0x000001CC0E311000-memory.dmp

Filesize
4KB

Download
memory/516-76-0x000001CC0E310000-0x000001CC0E311000-memory.dmp

Filesize
4KB

Download
memory/516-80-0x000001CC0E310000-0x000001CC0E311000-memory.dmp

Filesize
4KB

Download
memory/516-82-0x000001CC0E310000-0x000001CC0E311000-memory.dmp

Filesize
4KB

Download
memory/516-83-0x000001CC0E310000-0x000001CC0E311000-memory.dmp

Filesize
4KB

Download
memory/516-85-0x000001CC0E310000-0x000001CC0E311000-memory.dmp

Filesize
4KB

Download
memory/1152-47-0x000001CE3D4D0000-0x000001CE3D4F4000-memory.dmp

Filesize
144KB

Download
memory/1152-46-0x000001CE3D4D0000-0x000001CE3D4FA000-memory.dmp

Filesize
168KB

Download
memory/4004-41-0x000001E969D80000-0x000001E969DC4000-memory.dmp

Filesize
272KB

Download
memory/4004-18-0x000001E969860000-0x000001E969882000-memory.dmp

Filesize
136KB

Download
memory/4004-42-0x000001E969E50000-0x000001E969EC6000-memory.dmp

Filesize
472KB

Download