Analysis
-
max time kernel
274s -
max time network
277s -
platform
windows10_x64 -
resource
win10 -
submitted
09/07/2020, 21:07
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
setup.exe
-
Size
391KB
-
MD5
73972b302a4c3b3890b037677af29c9a
-
SHA1
beb4ebdce521336c52ae65c02030a67a6bb83c3f
-
SHA256
88b42f4e9df2396dec56cfefe1ffb73f0ba183240ed8341399960f22687bf019
-
SHA512
28c7753c0c0f9a197f0559de9f062a2fa4a3a6cfee1de45c1ace1b3dee164ef274a7306511faa69d71986cf10f2cecb975625819caf3f52651d74e179169ae15
Score
1/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4060 wrote to memory of 3884 4060 setup.exe 67 PID 4060 wrote to memory of 3884 4060 setup.exe 67 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3884 dfsvc.exe -
Modifies registry class 21 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "NT8QLK3857P758KTJ1P8HL51" dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0 dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata dfsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "2Y3162A7TD258NR5ZWD1LLED" dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies dfsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "AX7Q9WMRY922CX2661VKJ2D5" dfsvc.exe Key deleted \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0 dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software dfsvc.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Software\Microsoft\Windows\CurrentVersion dfsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies registry class
PID:3884
-