b0410c03a893377b1726c7d31fed5796ae24c8ba55061aa7a02f04fd96a32af5

General

Target

InstallKit_24313_win64.exe
Size

21.4MB
MD5

65a1f593552de7934b0bcb782abc43c4
SHA1

b379c45dcfd03680bb1d97e34a27d1eec8b398a4
SHA256

b0410c03a893377b1726c7d31fed5796ae24c8ba55061aa7a02f04fd96a32af5
SHA512

0ebceed4be166581b00d7aa73e439ccee8bd2170d1073fe2b269aa0d1a3c04dd26fb4add4b4aa77a8b69a9adff06365310306172e1003303fbe90b2aad3077bc
SSDEEP

196608:6Y/W2TrybPU3ENBlut4E/iUous5kW+bD5Pc90umN40vyv+SQBVluw9a+Y:6aWqrybhNBlu3/i5X5kpD5GmHv1nRY

Score

5^/10

execution

Malware Config

Signatures

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

Processes:

cmd.exe

pid process

2232 cmd.exe

pid	process
2232	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InstallKit_24313_win64.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	InstallKit_24313_win64.tmp

Executes dropped EXE 2 IoCs

Processes:

InstallKit_24313_win64.tmpInstallKit_24313_win64.tmp

pid process

400 InstallKit_24313_win64.tmp
1716 InstallKit_24313_win64.tmp
Loads dropped DLL 2 IoCs

Processes:

InstallKit_24313_win64.tmpInstallKit_24313_win64.tmp

pid process

400 InstallKit_24313_win64.tmp
1716 InstallKit_24313_win64.tmp
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

5260 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
400	InstallKit_24313_win64.tmp
1716	InstallKit_24313_win64.tmp

pid	process
400	InstallKit_24313_win64.tmp
1716	InstallKit_24313_win64.tmp

pid	process
5260	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

InstallKit_24313_win64.tmppowershell.exe

pid	process
1716	InstallKit_24313_win64.tmp
1716	InstallKit_24313_win64.tmp
5260	powershell.exe
5260	powershell.exe
5260	powershell.exe
5260	powershell.exe
5260	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 5260 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

InstallKit_24313_win64.tmp

pid process

1716 InstallKit_24313_win64.tmp

description	pid	process
Token: SeDebugPrivilege	5260	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

InstallKit_24313_win64.exeInstallKit_24313_win64.tmpInstallKit_24313_win64.exeInstallKit_24313_win64.tmpcmd.exe

description	pid	process	target process
PID 1564 wrote to memory of 400	1564	InstallKit_24313_win64.exe	InstallKit_24313_win64.tmp
PID 1564 wrote to memory of 400	1564	InstallKit_24313_win64.exe	InstallKit_24313_win64.tmp
PID 1564 wrote to memory of 400	1564	InstallKit_24313_win64.exe	InstallKit_24313_win64.tmp
PID 400 wrote to memory of 1568	400	InstallKit_24313_win64.tmp	InstallKit_24313_win64.exe
PID 400 wrote to memory of 1568	400	InstallKit_24313_win64.tmp	InstallKit_24313_win64.exe
PID 400 wrote to memory of 1568	400	InstallKit_24313_win64.tmp	InstallKit_24313_win64.exe
PID 1568 wrote to memory of 1716	1568	InstallKit_24313_win64.exe	InstallKit_24313_win64.tmp
PID 1568 wrote to memory of 1716	1568	InstallKit_24313_win64.exe	InstallKit_24313_win64.tmp
PID 1568 wrote to memory of 1716	1568	InstallKit_24313_win64.exe	InstallKit_24313_win64.tmp
PID 1716 wrote to memory of 2232	1716	InstallKit_24313_win64.tmp	cmd.exe
PID 1716 wrote to memory of 2232	1716	InstallKit_24313_win64.tmp	cmd.exe
PID 2232 wrote to memory of 5260	2232	cmd.exe	powershell.exe
PID 2232 wrote to memory of 5260	2232	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\InstallKit_24313_win64.exe
"C:\Users\Admin\AppData\Local\Temp\InstallKit_24313_win64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\is-0AA3P.tmp\InstallKit_24313_win64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0AA3P.tmp\InstallKit_24313_win64.tmp" /SL5="$701D0,4828351,725504,C:\Users\Admin\AppData\Local\Temp\InstallKit_24313_win64.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:400

C:\Users\Admin\AppData\Local\Temp\InstallKit_24313_win64.exe
"C:\Users\Admin\AppData\Local\Temp\InstallKit_24313_win64.exe" /VERYSILENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\is-ROKJI.tmp\InstallKit_24313_win64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ROKJI.tmp\InstallKit_24313_win64.tmp" /SL5="$801D0,4828351,725504,C:\Users\Admin\AppData\Local\Temp\InstallKit_24313_win64.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\system32\cmd.exe
"cmd.exe" /C p^o^w^e^r^s^h^e^l^l^.^e^x^e^ -^N^o^L^o^g^o^ -^N^o^P^r^o^f^i^l^e^ -^E^x^e^c^u^t^i^o^n^P^o^l^i^c^y^ ^R^e^m^o^t^e^S^i^g^n^e^d^ -^F^i^l^e^ "C:\Users\Admin\AppData\Local\Temp\is-7KDUJ.tmp\\D59C3EEV.ps1"
5⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\is-7KDUJ.tmp\\D59C3EEV.ps1"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yadc4xsf.ddt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0AA3P.tmp\InstallKit_24313_win64.tmp

Filesize
2.9MB

MD5
a0ec6f52e2963da51e7718fa893dfe9b

SHA1
281a97ba2b01e57f17bb57a85cd8a2f79e2dbdd3

SHA256
117e88047fa7f0e326e02ecdadd4bbf0ff0acc897a3499c5728a530a566aa796

SHA512
941b2509ebd1a5376b97ee4f2ee8658a974aded1f3a424dcc56872987a134057c36bec5780d529ab481fedec69a1e14529f3a45d174897a81621582b66fa38ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7KDUJ.tmp\D59C3EEV.ps1

Filesize
723KB

MD5
57b69d97abcec8125167a903957a8a4e

SHA1
ff7f77c6125734965adb87d3dc16ee22383b3625

SHA256
63760f40b6cda43eb12b6f114f4f84f58bfc2808ef2ff1f42a5fa91dae312c98

SHA512
e0bbdeab342d8f6474cec561914d83af2acd61e55c898b2ea72767c913b6a657e9b57330935c148e192c39d82ee7fa211c94325141fd3f63bb94544b06c2aadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DG4IO.tmp\_isetup\_iscrypt.dll

Filesize
12KB

MD5
47cfd05fde4babe79530c7ea730f6dc0

SHA1
2c055fa81f19d6f024f1f3d5b2dd0d5fde51d87e

SHA256
4bb34fe74f86ab389763863ee395a93d73e2d9548c224819ec9055d7c8c4b480

SHA512
ece4b4268e0d346e438f6f59fe333f7b6f95e3287791c517ef477935704ad2788e544a877b39abf542cd90a23966302d44cf03fb71e95c4f84ea11e634b3cbd0

Download Submit
memory/400-6-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/400-16-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/1564-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/1564-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1564-18-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1568-15-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1568-13-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1568-57-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1716-22-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/1716-55-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/5260-36-0x000001AE58630000-0x000001AE58652000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads