Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
TrustedInstaller.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
TrustedInstaller.exe
Resource
win10v2004-20241007-en
General
-
Target
TrustedInstaller.exe
-
Size
213KB
-
MD5
2f675e03759ef3ebc2c3f50e74083511
-
SHA1
2b6d10856d1f0c01d37786094efcd9314c5a9024
-
SHA256
16dfb38831b7ad38f1f36e8a15298133e5738bdc969674b720d5c43aaed59840
-
SHA512
34539e491e0c09d7677da7bee1dcfaf123e56c8193e4b88895b6f51f24e2382bd2380a4cff77edeb09ebe288b939a42eda227f7e5f1e62caf567a8bc80cb2c78
-
SSDEEP
3072:IPfSUM+yWrvnK99pJE4lNGAQ8etVEoDQ2equdLg+hguIlo0lVTyRgFX:E6Upr/KnrcAPuTQdLN6uI1pyc
Malware Config
Signatures
-
Andromeda family
-
Detects Andromeda payload. 5 IoCs
resource yara_rule behavioral1/memory/1888-5-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral1/memory/1888-7-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral1/memory/1888-11-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral1/memory/2464-17-0x0000000000020000-0x0000000000025000-memory.dmp family_andromeda behavioral1/memory/2464-21-0x0000000000020000-0x0000000000025000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\57583 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccoasiiaz.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1888 TrustedInstaller.exe -
Loads dropped DLL 1 IoCs
pid Process 2528 TrustedInstaller.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2528 set thread context of 1888 2528 TrustedInstaller.exe 30 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\ccoasiiaz.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrustedInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrustedInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe 2528 TrustedInstaller.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1888 TrustedInstaller.exe 1888 TrustedInstaller.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2528 wrote to memory of 1888 2528 TrustedInstaller.exe 30 PID 2528 wrote to memory of 1888 2528 TrustedInstaller.exe 30 PID 2528 wrote to memory of 1888 2528 TrustedInstaller.exe 30 PID 2528 wrote to memory of 1888 2528 TrustedInstaller.exe 30 PID 2528 wrote to memory of 1888 2528 TrustedInstaller.exe 30 PID 2528 wrote to memory of 1888 2528 TrustedInstaller.exe 30 PID 2528 wrote to memory of 1888 2528 TrustedInstaller.exe 30 PID 1888 wrote to memory of 2464 1888 TrustedInstaller.exe 31 PID 1888 wrote to memory of 2464 1888 TrustedInstaller.exe 31 PID 1888 wrote to memory of 2464 1888 TrustedInstaller.exe 31 PID 1888 wrote to memory of 2464 1888 TrustedInstaller.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe"C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe"C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2464
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD52f675e03759ef3ebc2c3f50e74083511
SHA12b6d10856d1f0c01d37786094efcd9314c5a9024
SHA25616dfb38831b7ad38f1f36e8a15298133e5738bdc969674b720d5c43aaed59840
SHA51234539e491e0c09d7677da7bee1dcfaf123e56c8193e4b88895b6f51f24e2382bd2380a4cff77edeb09ebe288b939a42eda227f7e5f1e62caf567a8bc80cb2c78