Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-06-2024 08:43
Static task
static1
Behavioral task
behavioral1
Sample
MicrosoftToolkit.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
MicrosoftToolkit.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
MicrosoftToolkit.exe
Resource
win10v2004-20240508-en
General
-
Target
MicrosoftToolkit.exe
-
Size
317.1MB
-
MD5
d3086e8a000add3d507a72d464e82e4b
-
SHA1
16de80b98ac8cbb17863662fa1d02b6cd3151628
-
SHA256
2a9b1c1f730c4146ff4356e3c5b6329ff5ea6f022d51146b61df8d276afd90df
-
SHA512
6ed6edd5bc1604bdaecbb2b2181bdc5820d53d90477f47980aa14bbc1c081c0e178b524bb972e13df6fa134403d7ff3ac6fd6772857c32f69f7dd0efef0a839e
-
SSDEEP
196608:WXnfk307gaHtQJhl4b9m/yNhnrH1PY0Zh4e:WXn830cI+lr/yNhnrVPzh
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe -
Executes dropped EXE 1 IoCs
Processes:
Setup.exepid process 1444 Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Setup.exe upx behavioral4/memory/1444-16-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral4/memory/1444-80-0x0000000000400000-0x0000000000623000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
MicrosoftToolkit.exepid process 760 MicrosoftToolkit.exe 760 MicrosoftToolkit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MicrosoftToolkit.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MicrosoftToolkit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MicrosoftToolkit.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Setup.exedescription ioc process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
MicrosoftToolkit.exeSetup.exepid process 760 MicrosoftToolkit.exe 760 MicrosoftToolkit.exe 1444 Setup.exe 1444 Setup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Setup.exedescription pid process Token: 33 1444 Setup.exe Token: SeIncBasePriorityPrivilege 1444 Setup.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Setup.exepid process 1444 Setup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
MicrosoftToolkit.exedescription pid process target process PID 760 wrote to memory of 1444 760 MicrosoftToolkit.exe Setup.exe PID 760 wrote to memory of 1444 760 MicrosoftToolkit.exe Setup.exe PID 760 wrote to memory of 1444 760 MicrosoftToolkit.exe Setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
3.8MB
MD5323c0fd51071400b51eedb1be90a8188
SHA10efc35935957c25193bbe9a83ab6caa25a487ada
SHA2562f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA5124c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e
-
memory/760-0-0x00000000152A0000-0x00000000152A1000-memory.dmpFilesize
4KB
-
memory/760-1-0x00000000152B0000-0x00000000152B1000-memory.dmpFilesize
4KB
-
memory/760-2-0x0000000000840000-0x0000000001840000-memory.dmpFilesize
16.0MB
-
memory/1444-38-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/1444-17-0x0000000000B70000-0x0000000000B83000-memory.dmpFilesize
76KB
-
memory/1444-16-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1444-62-0x0000000002490000-0x00000000024A0000-memory.dmpFilesize
64KB
-
memory/1444-46-0x0000000002460000-0x0000000002471000-memory.dmpFilesize
68KB
-
memory/1444-71-0x00000000024A0000-0x00000000024C0000-memory.dmpFilesize
128KB
-
memory/1444-30-0x0000000002440000-0x0000000002452000-memory.dmpFilesize
72KB
-
memory/1444-54-0x0000000002480000-0x0000000002490000-memory.dmpFilesize
64KB
-
memory/1444-25-0x0000000000B20000-0x0000000000B30000-memory.dmpFilesize
64KB
-
memory/1444-80-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB