Analysis
-
max time kernel
122s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-10-2024 01:17
General
-
Target
AinzSkinSetup.exe
-
Size
62.2MB
-
MD5
9cea8af98a4571b6fbd4f0bdd45fa079
-
SHA1
d881265408db3069274854ea2df6b2a847f425c0
-
SHA256
ecb6c7d7bc73fc24a4ce26dee2aa01ca9195a6d4ff7cc98da7f661107c1acaf8
-
SHA512
8ba7a64c515878c8bcbea2d0bab971476455d5d70c5126205ee4d9021ad1851a5c2b34d2db810e021845b262ddc848ece2c5149d8202b215f8f156cbfefb6345
-
SSDEEP
1572864:gC5g8eSkbdUvI4dHchPb2MJHugOlR7iDoQ06CxZAYWHQ7+iz:qUvj8N6MJOgWR7Z56CxOAz
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 14 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry class 19 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AinzSkinSetup.exe"C:\Users\Admin\AppData\Local\Temp\AinzSkinSetup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-DOMJS.tmp\AinzSkinSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-DOMJS.tmp\AinzSkinSetup.tmp" /SL5="$3014E,64333340,787968,C:\Users\Admin\AppData\Local\Temp\AinzSkinSetup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "&{$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Public\Desktop\AinzSkin.lnk'); $bytes[0x15] = $bytes[0x15] -bor 0x20; [System.IO.File]::WriteAllBytes('C:\Users\Public\Desktop\AinzSkin.lnk', $bytes); }"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "&{$bytes = [System.IO.File]::ReadAllBytes('C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AinzSkin.lnk'); $bytes[0x15] = $bytes[0x15] -bor 0x20; [System.IO.File]::WriteAllBytes('C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AinzSkin.lnk', $bytes); }"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\AinzSkin\ModSkinLOL.exe"C:\Program Files\AinzSkin\ModSkinLOL.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.31&gui=true4⤵
- System Time Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1856 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD52d098ca4899332692ba28f221969fafa
SHA12d25b1c68c22349cacdffc422eb6863d00783947
SHA25686f6b342230ded80b29b6221a7990233232fa813ea6c0954ed5f18cc68d1c92b
SHA512864be97fdd98ca61f24b44d58806c7308475f18e967bb613d064334fe0fe385056e54a0764e3bdff86bf1020316744252e00c8b5044add7cd834d57866f46d63
-
Filesize
43KB
MD5c209cd95d7ec120bc76b02e05da4ad19
SHA10c1edac488af786b04a197e94426611801660cbe
SHA256aa74ffb585be218d92a4be494ccdb148d06dda5be11c26c0f1294ea7e34a3573
SHA5121089a264c6aeab3b7957381ba29e18d00fd3dac7e7d8e4f3d181eb5165c66b01ea463f7fe58b78c1cd302811d494294deb9c26fb2e81af5ae3a985661b0bd389
-
Filesize
695KB
MD5adf3e3eecde20b7c9661e9c47106a14a
SHA1f3130f7fd4b414b5aec04eb87ed800eb84dd2154
SHA25622c649f75fce5be7c7ccda8880473b634ef69ecf33f5d1ab8ad892caf47d5a07
SHA5126a644bfd4544950ed2d39190393b716c8314f551488380ec8bd35b5062aa143342dfd145e92e3b6b81e80285cac108d201b6bbd160cb768dc002c49f4c603c0b
-
Filesize
843B
MD51bb5232a56b50271e127d873eab8ae29
SHA1f889813cf81abb4a2a8eff46249b823692233331
SHA25635df16be02a56e7a262e6cd0649da98a8ce534ab84e54866366a6d614c049496
SHA51257a7cc16c1f8708852c0fac184be0300ed9e687f19114f32383912c9d57e8c3149bf745c8a0584416f5ea186191b32da20a6c71123ddc37d85c7b023b162c861
-
Filesize
342B
MD57690c78ab86bc2259d4670e48965359d
SHA1bdd819a926c54ba806c162b9337b43a401f29179
SHA256398a71b16b2523dc409eb99b9ade96f9196843184586de451571faf317c3a2df
SHA5123b290f7136f61b5b5af2c7c1c1fb8e7ae3151d611fc7bf138195f7a38038ba33d9b2a95c650859619867a15a0ab68acbc1aa1157c62be2e9eedfbe7ad4793cb6
-
Filesize
342B
MD571021b72e2c9edb0fe5876f729ca2032
SHA1f46fca8f19c1d711a76f9c9f1576fd95cd1d2ace
SHA2568993bf729af17b71e824491daaaf15dcec9c1334c961507bd57052904c4ca3e4
SHA512971a5e0de64fcd53171dd0a909d76f97a2dc384f0750648307798af200e86939ff23c2642e07b9bbb8209ade4d8e9bb098e6ef11e07a2d42386157b5178f91d8
-
Filesize
342B
MD51a3a0a664580e403cad261cf334539cc
SHA10ef4287607593a9171a99f07ebad8c864dd527b2
SHA256794670dc01543cc0cbb77b3354765be45e48b3c4a42d3b37ab380fc488e4fdf5
SHA5126ab6bd65393d32e1f0602694ca877d282dd18c36dbdb2b7ac7bfedef06be00a6b6461c455847cf6158e5c25e0495eb69742a653677d7ef098410630bfdaa267e
-
Filesize
342B
MD5f69ea9ce1709dc3207c1b116beb8153d
SHA153fa4adb544c92cbef21c1e3b1e4613dc362e408
SHA256dfa249355e325cc4efc596bf6da368e59955bb68653e3bb92b9e604d7d052ad9
SHA5123eda952e05863615a780a4a43a0f6f228d8f379ea41c1a935969b076c592a4b3578a1c72cfe0a545e1d88931f9f8e15f76cef3c7c072d8788ec4d5476118d021
-
Filesize
342B
MD54c5d21382708b300dadd830bec47eeee
SHA152384a2630bfaabbb318f769e52e14a1b1acc9ca
SHA256f168639d91b6e9c5d05f1328c2d221ee38c1651b25df2daf8cccdb8da7cf3ed6
SHA5123eb79fefed3ebba5ef4f26753825a3c5642e8059ca6a4fe5956e0c6d0eb3fa6707c05f87a1ee8ad5fee330d52273a60c487afc906fbbe62a8da8b2e091447076
-
Filesize
342B
MD5f7ac289edc9d351593ce2779c126c7db
SHA1f011670d7d036956c683012f5c56e6e0e5f8f6ba
SHA25652b0eaa3cbf721041eecd8c274f43bd5bab91bc872223d4f349e91fd092a1554
SHA5128b430f538d9430ef1b9223f294873ceeaede5f4c67c135473069e13f0783a47d0be85d3cd6e689153ad810db648d121fb6fc7758a7a41c5e8d16207084f987a9
-
Filesize
342B
MD5db486ad689890abdd547d6c43cbb7282
SHA11979de40eec64fce8e1fdffc7d5e6ee4d045ac96
SHA256f90bd82d9f0d322beb85506e6228bc22455dd6a6e4b1671ca82e87c8c389a48b
SHA512425c9b28b8ecd103401af05e8d023ea0615bc1d9c79128b64f62169828d56305ac667330459bd0bc63292855d4f24bd2c5b76274a32e334b023968c93a96845f
-
Filesize
342B
MD54dc45d67f42a55be042d25a3bb72eae0
SHA147c858769b3e51ed221ee6adf2ad3d5bc81e5310
SHA256ad86c124773e394fb83c2feb104450eee7863c6365042a7a35aa468102607ac6
SHA512a6969f92431ade195d5d26296395338288846c2890947c8699ae5ad11e26d49f7175a8eb8c2ffa362493241b3254a52b0bbba7ad8b3394ce8d7124b1dc8ca415
-
Filesize
342B
MD51dc6ab548f0ed34073ecd054f84ab51d
SHA14b0ceb483bb86ef2798f1022162583f7a11369d0
SHA256d843280a5a92ea29fe2cfa47d1c6cc3c9c6fa170d244db4bff08469d57c22bc4
SHA5124ea4426f56d15bbcb8e0fe3e03bded45c8726bcb2bf24142da92564a79b9b28b09b51ac32d2df864e20224f572c48944cbee50cd59d009f4b6119ffd357e0857
-
Filesize
342B
MD50bdbf8ba289a6884ac472521e1af2854
SHA1d22cf88c2ac02760c4bc62f2c3a5d58ef5821273
SHA256320940172c3158928ab6d761da3eb0e0c3b1295b04d3829db0a0ea0250dc4fcc
SHA5124c12f1c9f04bb38b20659ce63d8dd9e603c9e288e21ba131071529458571f00748bbb831b42674b300a147821493ff9098216d9630bda81cc55a486038955497
-
Filesize
342B
MD5f38cd29590ae3390070a60fa26956237
SHA15636325f7a738dc4defbd1c4b1467e6945b10fc6
SHA256f0d26107193d9a70be4a86ecf05bad1074cfb42cae2fa5d3ad4f55a48739eb1f
SHA5126376e80fdc070cec533955586d4fef04d825284bdd7fcef03f7d0b9b3c8ca08b12ca0517645ee617747fb1f8149917a6fbbce12937be175dd8406ae43b94b6ee
-
Filesize
342B
MD559a13d0661b316ab5c2fdd2177b59ed5
SHA12edfde2f4bf75aa47a7f50ea3adce5ec97419c4c
SHA256a0369469beadf1e811b39005ca0dd9ef009642ce89cc35e5eacf6ff47b5e2e19
SHA5122cb8dce90129127b4653dea99c6387823a08854846b1981fed9902078f01536fd76aba6a6df13df5d77c2b6fcc6f01ac3ad647ab1dc7a5960c35e353ef2576a5
-
Filesize
342B
MD553f2c2ccaf21c8912dfe74f3c87b1e52
SHA1163bc9bb1eaafdcf45ab71d32aa8d0b5d37b9270
SHA2561bc5b2a05a938cd258a2e175b4fb4081f873f4b0d4b4dc1adf0291eab0726091
SHA5128c56af210935ed1aa6e3bcc8082c639f1a15e2c93151f39df57c501fd35f9235768d25619999647aacd31052bf3fd83576207ed2b74afbd7da0b01b8d915c01b
-
Filesize
342B
MD5018ca5d39b601a1acd66aa1f22ea826c
SHA127e8ed81581258b5f8a88bc05065389fd6c871a6
SHA2562df2b1fa0807118cee9155f18713ff93b592f0625bbb61675180de4f984a9e04
SHA512270e1daf7c239b1b41736e9da4c6936a9f8de51e7dcd1e7d3e1e02a19c68be71db0d0185a57aeb28fbee72120538be2168660129ef27a034360f2a0428d62b8e
-
Filesize
342B
MD52c42fa2c8f4a83339f124921167aabda
SHA152305829ddfa720712f3c518cee4912effcbf2b5
SHA256545b18e9cc74481b4f48d98c546276274a3053c005f61fd82b04f2ca468212dc
SHA51297e0e11374e154c4287210b65a2f4b86964a3b2ebd0c21608bf4e33ab6c0125eeceae690db21f5503ad2b5588019ccf5bfaeed76a6c2c3d5d100760b9b494cba
-
Filesize
342B
MD50a4e58f553f87fe297c4b73a5b7e3491
SHA1640002d53a5fc0815c18ff1c3445493e139b7306
SHA2561b67217300c4c05fcbddccaa9c4be816e56a664e3fb82eee72d701e08b6d89c0
SHA5121f366a56eff6d5b7f6557d03635416a6871899101ee89d7d48fc183ba13e449336763e75e3f04ed8f4ea7dbd0c9c04fca66fd64092a47da6536ba2f58a5e8090
-
Filesize
342B
MD5d18dbee9afc9df8b373b68050a5f8264
SHA1fc24c908468bde7ea28783934a813efc95c193da
SHA2562e2975afaba3bbdd870655448c8c7a29b6d3fb0a0b1423202f64c7f3a8374abd
SHA512e5b410e422b7b86fc6f6d3e1ed1ffddc978dc027a2720548aa4542ee63d151ddf3391d29c9038639c25a3be86b575c1258bc670c7226e545b54c427a6098bb98
-
Filesize
342B
MD58efd35fdb80d6880f0db19e0301a6222
SHA15b0453de5c98e38b9571735a504206a13339681b
SHA2568c60e4a7d7319fa8827e68de413d61dec420f0c2ed066deb14ef2203a288cff9
SHA51224211bd24f80ea2cff66b540630bd32bb2a2299e704b50362188a51fadd185bfe12cb131b5a8045975768926963c0f45763839caf16ce297e5f36f69a42c77cf
-
Filesize
342B
MD5e447c6da799398bb707681df4f89f3af
SHA160a559ff532ed6929373db147394deebd2d2e7f4
SHA256f5a81114c265886987408f08d0597299bb398d91d12cece6d81fddb0862f7cce
SHA5129b9be2b1d97d0914793ef41aea19a50fa7289a7bb7f87c45321fe4204c920184f8c86b12fbddaa7a6eac3106ae1b9aae43421c03e4005c5ccfffd03cb89b3987
-
Filesize
342B
MD550a38b4c5f32e7571c11239a345ef0c3
SHA1297e8268eca7182501888a66a8f154a248817852
SHA2568fe4c092040832aac20e1bbf2152d0dae7eddb39ca5d142e24b8d12163088224
SHA512444bd8569a4c9f8bf3258eb12f012c6f5ebf3011e14eb9fb263577fa89d419bdb39d4930b9eb4ff16db7fd1eb1641aa8275b2451c250e5cc895268467a454301
-
Filesize
342B
MD547d483dbd4a22cd3e3a83cba1a48ef7c
SHA1ad70f44716c5ebfab4c3df54e082dbe8a132e4eb
SHA2561061664042d8f1e8243524490c73267634b59838c6ac3ede0c2affc3bf996af9
SHA512990b5b7be81b12b493a89f9215051a792f3bb416cc3b8737013b8cb840de0804b7372697d416d8ed0642c2ddb930707ba3960be433b3098c189647c247e55f11
-
Filesize
342B
MD50fc8ad50d229163fc99e9e7a80f0a597
SHA1d9bb20632ad3136fe0aa7d7b51257d8f154f2064
SHA2566eecd2996813a2c2c1dadd43639f165d82416d130f4076cd2e5d76889272ebf7
SHA512188a57b27ec9d259c1d315cc3825f5a40b625dbe00dc83f8d09ef990c611d1422eacbba3d3aed643f81bf36e08575e326f0b0ee591b08932766d72bad1e3ccdf
-
Filesize
342B
MD52fac53d9f93f8c42b00d3f88106bf81b
SHA1396e86dda412a5426c5cb7f4612f443ec159274b
SHA256a873aa8b06aa1dd69c732944a1a728fdc1fd5d4ea92c60e01df62aa041665813
SHA512a8c865345ded27f0fc40c3de3f045fe419a70de4aa63e60e4c4b85e383719f744398722b17734d02f7faf1247125b12ab0386ef093b6839adb00935c4b6314ed
-
Filesize
342B
MD50fa66d8b570c1c341124faa11580d65a
SHA10fd9ce12ae0a14f899bb23ef8d3de5c25ecd6f92
SHA256903bed54bc00a9b8a2c1970c3a8f5261ce90bd159c2ba0f5d8af9df20d02aa95
SHA5127b7ee1dabf831b461c82d3720ec12943a9914854933ecd2beb68598c7ee8732909fabc64b0cca7be0a860dd948ddfd8f10190b6417c8d9adeede4f8221000899
-
Filesize
342B
MD53a139f3c28e24bfb7164086fc52e0315
SHA1ffd6f608fd3af164004664ee4deaa42c7451f5e0
SHA2566c542406f617e42f4bc273b3f4029e53177de0302b7610cade03fb5b3e073282
SHA512d8403cfb7531d368eecf7049c621573c4fda437cb0b8c87ace054c385775c65f22985d05954e64df781a2eb997acba81fa0c3a742dfe0fbd11d0be4bee394a2a
-
Filesize
342B
MD5e3f000e3ea23059558974498827edafd
SHA179d4219ae274a98cd197cb9baab530f3201a8432
SHA256efeb93902ae551bb709932c468c1781ce7ca2ab235502c8d334abe0923387dad
SHA5125741c94af3b5e0c3488db47e26cc8a37d9cfcb497b1d3b746b520faf7dbad3ff6e1538734fd85c008a3543539e97c34ae1c28829bf72b76e39a167cfb6eca070
-
Filesize
342B
MD546f16622988d2d54069035e8e2a8aa93
SHA1f6ce098b2533d04be618789fa4dc824b2c83b2a8
SHA256789079efc3547eb861d5d90ffd2263844a5561b24af498f722395bd23328628d
SHA512fe6e79c917166cb6cc2311d2a163bd40e0783efd85b65f68ccea467631d37081f9b85433dfaaa6a35fa760d4ae4e7dc98d874358652a56cc1b223aa665a01bcc
-
Filesize
342B
MD57e409b39d3424dbaa8026378ea3f8a6a
SHA125b63060325c859652388e264823cdc8aaac7cee
SHA256d429caf9b2f334ff1cd008ce14afbaa5e510fe87bb3fb2fad1c32736486051e6
SHA512792ce2084c07f127c96d5bec39a1df68c2cb24b4d64c51664f037e5cd7d3a724cbdb0eb0348aa73c108e95ceded0b330419928bcf7b992a97b0027b954efb96b
-
Filesize
342B
MD55b8df2ba508637694d1d9b8e706853fd
SHA1fdb265fe67ac32cbdc61094433e96cee3b51a229
SHA256b3bcdae89c4b31e2d57c8063417b9282a5de228d75c94560629d543c0019fd4c
SHA512a8107d1d9a5d888fdeb6899a4390a26d6110bc4e2cf6c732aea73ae3f6eb476d9ae4fb001667ac16ebcd54e4a79455537d0ec821d5a7a343d101e9e131920606
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
7KB
MD5da9f6ead0bb32028d6b340eca2d1402f
SHA1f7c9ada3fad61ab81e9f2fc56ea397f59e53be89
SHA2560e2329facaa15ff27378be49d49e002f68aed4183504191b14096cbead803f1c
SHA512924516a92a055101847e65b3ea4a8c08777e8fce328c62a302cc1e78e5f0854d8e6f5ece5b031f5c9253571a36af796cce5fe21922ea3ea8c032fc3726edb586
-
Filesize
831B
MD56d08309f2c23eea2dbe2369d271dd886
SHA1b77e21d25e2a7630ebb358d7896a55276ac40dd3
SHA256531d6d5f90c747d27c0a3819639e0218541a0174e97d4e4aecc380e3b06f6d72
SHA51281d53bd2358e55407fe1418bdd4ee68bbc8d8b97cecdc1e1844ab44589002ed59821072f14f785864b0e2a68632c2398f6dce951cdefd9cdd0c08950b795edc0
-
Filesize
3.0MB
MD58c4ce44fe6caba65e2619d5c5133223a
SHA104e8791e6eb4e7ed466fe0362d2ff954baea30eb
SHA25606c16957ce660e85ec172b15e2ae48ad03f639201c6aa27157d35b274d15c589
SHA512e4c3e58e4e0ee3e97168c0f87be8e0c961a213c54632356fc732eabc52cddd5b14d70b9a7d6aee1a0f480a6c33dc04ac15a8a43b563fd5cc44783d9d7ad2b12d
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
672KB