Overview

overview

10

Static

static

setups.exe

windows7_x64

setups.exe

windows10_x64

8

Analysis

  • max time kernel
    99s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    10-04-2021 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setups.exe

  • Size

    2.0MB

  • MD5

    2f6511abc3a54d2ecadc0970805a0ad6

  • SHA1

    a2b304428f02d9f4b23c24cc7fe80f319a51f204

  • SHA256

    be315dc46922d27c67a50ebadaa0d47425f89108c5657841aaee35ae5375ec7e

  • SHA512

    81165db7fd648f1944b3365722baff3884bebb8328c901a8e3e80c318ebba4c88c092df3982eaf013b3757047442a8fed93048222c5a757d45185bd93c835638

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setups.exe
    "C:\Users\Admin\AppData\Local\Temp\setups.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Users\Admin\AppData\Local\Temp\is-MCON9.tmp\setups.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MCON9.tmp\setups.tmp" /SL5="$20114,1873631,71168,C:\Users\Admin\AppData\Local\Temp\setups.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:5064
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:576
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:832
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2068
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-MCON9.tmp\setups.tmp
    MD5

    ffea47ed33ad5876771da0d9d4489e7b

    SHA1

    b79481ec06a71ce81255fdef3cfab55e07a99eaa

    SHA256

    d65548988a58773251e1d193a243ca98d5ee74fa371e0b47b759bb061c00f6c3

    SHA512

    27ec2cbc8e445080927ffb5408eaaf0fb8c0f6535f70201edebc1e44c21000185b92fd783f8dd5c4ef89a845a92a71feb75dd46290982b1bdbe271d2067d3f09

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-Q4CGA.tmp\_isetup\_isdecmp.dll
    MD5

    fd4743e2a51dd8e0d44f96eae1853226

    SHA1

    646cef384e949aaf61e6d0b243d8d84ab04e79b7

    SHA256

    6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b

    SHA512

    4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-Q4CGA.tmp\_isetup\_isdecmp.dll
    MD5

    fd4743e2a51dd8e0d44f96eae1853226

    SHA1

    646cef384e949aaf61e6d0b243d8d84ab04e79b7

    SHA256

    6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b

    SHA512

    4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-Q4CGA.tmp\idp.dll
    MD5

    b37377d34c8262a90ff95a9a92b65ed8

    SHA1

    faeef415bd0bc2a08cf9fe1e987007bf28e7218d

    SHA256

    e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

    SHA512

    69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-Q4CGA.tmp\itdownload.dll
    MD5

    d82a429efd885ca0f324dd92afb6b7b8

    SHA1

    86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

    SHA256

    b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

    SHA512

    5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-Q4CGA.tmp\itdownload.dll
    MD5

    d82a429efd885ca0f324dd92afb6b7b8

    SHA1

    86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

    SHA256

    b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

    SHA512

    5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-Q4CGA.tmp\psvince.dll
    MD5

    d726d1db6c265703dcd79b29adc63f86

    SHA1

    f471234fa142c8ece647122095f7ff8ea87cf423

    SHA256

    0afdfed86b9e8193d0a74b5752a693604ab7ca7369d75136899ff8b08b8c5692

    SHA512

    8cccbff39939bea7d6fe1066551d65d21185cef68d24913ea43f24b8f4e08a5581a9f662061611b15b5248f5f0d541e98d6f70164aaaad14d0856e76fabbfaa4

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-Q4CGA.tmp\psvince.dll
    MD5

    d726d1db6c265703dcd79b29adc63f86

    SHA1

    f471234fa142c8ece647122095f7ff8ea87cf423

    SHA256

    0afdfed86b9e8193d0a74b5752a693604ab7ca7369d75136899ff8b08b8c5692

    SHA512

    8cccbff39939bea7d6fe1066551d65d21185cef68d24913ea43f24b8f4e08a5581a9f662061611b15b5248f5f0d541e98d6f70164aaaad14d0856e76fabbfaa4

    Download Submit
  • memory/4768-114-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/5064-121-0x00000000001E0000-0x00000000001E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5064-125-0x0000000003770000-0x00000000037AC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/5064-128-0x0000000002410000-0x000000000241E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/5064-119-0x0000000002151000-0x0000000002155000-memory.dmp
    Filesize

    16KB

    Download
  • memory/5064-115-0x0000000000000000-mapping.dmp
    Download