46e1f4257b5fbfbfbdcdb11eeafa0b91893385cf28972eb672ffc9fe906175ab

Resubmissions

28-07-2024 17:32

240728-v397layfmg 7

28-07-2024 17:11

240728-vqcqkayakd 7

11-07-2024 10:44

240711-mstg4avhlf 7

Analysis

max time kernel
63s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

152.8MB
MD5

fda6602339a82085bb78a3b5342d699d
SHA1

8d819ae678d45c0c7c096d1fde2462c68eea8a56
SHA256

ad285800d276e0aaa1c9810d54429352214d0c8b219ac7da2bb646953b112fcd
SHA512

6015ec2ce05dd551e2267417111610dc982e7270542dcaed6f44acbb6245b7d7c239196c853a3763e7acaaa9a158244dde43cd1065c4a4e4be1505b6aa869a2c
SSDEEP

1572864:yLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:yypCmJctBjj2+Jv

Score

7^/10

execution

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1556	Installer.exe
1556	Installer.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	ipinfo.io
32	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1576	powershell.exe
4464	powershell.exe
4772	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Installer.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4464	powershell.exe
4464	powershell.exe
4772	powershell.exe
4772	powershell.exe
1576	powershell.exe
1576	powershell.exe
4772	powershell.exe
1320	Installer.exe
1320	Installer.exe
4464	powershell.exe
1576	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeShutdownPrivilege	1556	Installer.exe
Token: SeCreatePagefilePrivilege	1556	Installer.exe
Token: SeShutdownPrivilege	1556	Installer.exe
Token: SeCreatePagefilePrivilege	1556	Installer.exe
Token: SeIncreaseQuotaPrivilege	4464	powershell.exe
Token: SeSecurityPrivilege	4464	powershell.exe
Token: SeTakeOwnershipPrivilege	4464	powershell.exe
Token: SeLoadDriverPrivilege	4464	powershell.exe
Token: SeSystemProfilePrivilege	4464	powershell.exe
Token: SeSystemtimePrivilege	4464	powershell.exe
Token: SeProfSingleProcessPrivilege	4464	powershell.exe
Token: SeIncBasePriorityPrivilege	4464	powershell.exe
Token: SeCreatePagefilePrivilege	4464	powershell.exe
Token: SeBackupPrivilege	4464	powershell.exe
Token: SeRestorePrivilege	4464	powershell.exe
Token: SeShutdownPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeSystemEnvironmentPrivilege	4464	powershell.exe
Token: SeRemoteShutdownPrivilege	4464	powershell.exe
Token: SeUndockPrivilege	4464	powershell.exe
Token: SeManageVolumePrivilege	4464	powershell.exe
Token: 33	4464	powershell.exe
Token: 34	4464	powershell.exe
Token: 35	4464	powershell.exe
Token: 36	4464	powershell.exe
Token: SeIncreaseQuotaPrivilege	1576	powershell.exe
Token: SeSecurityPrivilege	1576	powershell.exe
Token: SeTakeOwnershipPrivilege	1576	powershell.exe
Token: SeLoadDriverPrivilege	1576	powershell.exe
Token: SeSystemProfilePrivilege	1576	powershell.exe
Token: SeSystemtimePrivilege	1576	powershell.exe
Token: SeProfSingleProcessPrivilege	1576	powershell.exe
Token: SeIncBasePriorityPrivilege	1576	powershell.exe
Token: SeCreatePagefilePrivilege	1576	powershell.exe
Token: SeBackupPrivilege	1576	powershell.exe
Token: SeRestorePrivilege	1576	powershell.exe
Token: SeShutdownPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeSystemEnvironmentPrivilege	1576	powershell.exe
Token: SeRemoteShutdownPrivilege	1576	powershell.exe
Token: SeUndockPrivilege	1576	powershell.exe
Token: SeManageVolumePrivilege	1576	powershell.exe
Token: 33	1576	powershell.exe
Token: 34	1576	powershell.exe
Token: 35	1576	powershell.exe
Token: 36	1576	powershell.exe
Token: SeShutdownPrivilege	1556	Installer.exe
Token: SeCreatePagefilePrivilege	1556	Installer.exe
Token: SeShutdownPrivilege	1556	Installer.exe
Token: SeCreatePagefilePrivilege	1556	Installer.exe
Token: SeShutdownPrivilege	1556	Installer.exe
Token: SeCreatePagefilePrivilege	1556	Installer.exe
Token: SeShutdownPrivilege	1556	Installer.exe
Token: SeCreatePagefilePrivilege	1556	Installer.exe
Token: SeShutdownPrivilege	1556	Installer.exe
Token: SeCreatePagefilePrivilege	1556	Installer.exe
Token: SeShutdownPrivilege	1556	Installer.exe
Token: SeCreatePagefilePrivilege	1556	Installer.exe
Token: SeShutdownPrivilege	1556	Installer.exe
Token: SeCreatePagefilePrivilege	1556	Installer.exe
Token: SeShutdownPrivilege	1556	Installer.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 3696	1556	Installer.exe	89
PID 1556 wrote to memory of 3696	1556	Installer.exe	89
PID 3696 wrote to memory of 1120	3696	cmd.exe	91
PID 3696 wrote to memory of 1120	3696	cmd.exe	91
PID 1556 wrote to memory of 3700	1556	Installer.exe	92
PID 1556 wrote to memory of 3700	1556	Installer.exe	92
PID 3700 wrote to memory of 2452	3700	cmd.exe	94
PID 3700 wrote to memory of 2452	3700	cmd.exe	94
PID 1556 wrote to memory of 1372	1556	Installer.exe	96
PID 1556 wrote to memory of 1372	1556	Installer.exe	96
PID 1556 wrote to memory of 1576	1556	Installer.exe	98
PID 1556 wrote to memory of 1576	1556	Installer.exe	98
PID 1556 wrote to memory of 4464	1556	Installer.exe	99
PID 1556 wrote to memory of 4464	1556	Installer.exe	99
PID 1556 wrote to memory of 4772	1556	Installer.exe	100
PID 1556 wrote to memory of 4772	1556	Installer.exe	100
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 784	1556	Installer.exe	104
PID 1556 wrote to memory of 1320	1556	Installer.exe	105
PID 1556 wrote to memory of 1320	1556	Installer.exe	105
PID 1556 wrote to memory of 776	1556	Installer.exe	108
PID 1556 wrote to memory of 776	1556	Installer.exe	108
PID 776 wrote to memory of 2944	776	cmd.exe	110
PID 776 wrote to memory of 2944	776	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:1120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\system32\mshta.exe
    mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()"
    3⤵
    PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1892,i,411126346557961081,3270302909323234996,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:784
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --mojo-platform-channel-handle=2104 --field-trial-handle=1892,i,411126346557961081,3270302909323234996,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:2944
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2624 --field-trial-handle=1892,i,411126346557961081,3270302909323234996,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7a1e03fe1039bf494d77070f2c583626

SHA1
bb6b31d644873fea13cb3c37e6225670b5682c8b

SHA256
53bb6e31c2534c61d2bb23c0ef4d9550c1b9361610bd01ef1816a97297147ed2

SHA512
e45c36ab8a4ba0c84783b2ddb2c26a9ab66cd5d26f1f0999b1288656288b1f8f33922a92c05641e6dfad03fac708525a1a37815d8ce1088ed0c72217e2f82827

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h5w0ilbp.bor.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4570b01-7968-464c-b545-5b75e4e1f3e5.tmp.node

Filesize
131KB

MD5
ba32439d171757c11ab0ca8f4a51565f

SHA1
9e9510188c7da8f858665fa70c39c0fed3eb2248

SHA256
e6f8144d00aa5be457b5302cfe5b6bdb8a7af85c180671c0eac69e1b3ee54e20

SHA512
19293f32c8ca55a95a90c4f55c55e4aa25b385ff445d6665083430c1a78d86569b222dc710df1b2123dd8b7e751c6a36d927819dfd4dc9d45c2a5e0d1ea85260

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb8ed059-4453-4d43-babc-34062a92c3c2.tmp.node

Filesize
1.8MB

MD5
fc3bf7f9df9056e23640d643bb6864cd

SHA1
253efe38a77772bde40b2e452731f040c42cbff5

SHA256
991f85856a7ef1937ce09d25704ad5617441ab3e901c455973fe3c521e409cb3

SHA512
f59cea9e78891faaeed67b89bff920379d5cd1edb665ac316eafbd5eecb44bc1458183944ba4dd5375fa16342fcbe6b6c6cd18bbd2b03654c339ea56924fe83e

Download Submit
memory/1576-46-0x000002A6B1FC0000-0x000002A6B1FEA000-memory.dmp

Filesize
168KB

Download
memory/1576-47-0x000002A6B1FC0000-0x000002A6B1FE4000-memory.dmp

Filesize
144KB

Download
memory/4560-77-0x00000208F6930000-0x00000208F6931000-memory.dmp

Filesize
4KB

Download
memory/4560-66-0x00000208F6930000-0x00000208F6931000-memory.dmp

Filesize
4KB

Download
memory/4560-68-0x00000208F6930000-0x00000208F6931000-memory.dmp

Filesize
4KB

Download
memory/4560-67-0x00000208F6930000-0x00000208F6931000-memory.dmp

Filesize
4KB

Download
memory/4560-78-0x00000208F6930000-0x00000208F6931000-memory.dmp

Filesize
4KB

Download
memory/4560-76-0x00000208F6930000-0x00000208F6931000-memory.dmp

Filesize
4KB

Download
memory/4560-75-0x00000208F6930000-0x00000208F6931000-memory.dmp

Filesize
4KB

Download
memory/4560-74-0x00000208F6930000-0x00000208F6931000-memory.dmp

Filesize
4KB

Download
memory/4560-73-0x00000208F6930000-0x00000208F6931000-memory.dmp

Filesize
4KB

Download
memory/4560-72-0x00000208F6930000-0x00000208F6931000-memory.dmp

Filesize
4KB

Download
memory/4772-42-0x000002EE75F70000-0x000002EE75FE6000-memory.dmp

Filesize
472KB

Download
memory/4772-41-0x000002EE75EA0000-0x000002EE75EE4000-memory.dmp

Filesize
272KB

Download
memory/4772-24-0x000002EE73930000-0x000002EE73952000-memory.dmp

Filesize
136KB

Download