Overview

overview

10

Static

static

Setup.exe

windows7_x64

8

Setup.exe

windows7_x64

8

Setup.exe

windows7_x64

8

Setup.exe

windows11_x64

8

Setup.exe

windows10_x64

8

Setup.exe

windows10_x64

8

Setup.exe

windows10_x64

10

Resubmissions

12-09-2021 07:23

210912-h76zhscbc3 10

12-09-2021 07:04

210912-hwe2nafbaq 10

Analysis

  • max time kernel
    309s
  • max time network
    511s
  • platform
    windows10_x64
  • resource
    win10-de
  • submitted
    12-09-2021 07:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    10.1MB

  • MD5

    32d11c996b67786686172b4179c6ee46

  • SHA1

    d99662924b9d260872bba995b233332ee0eab748

  • SHA256

    1d364c185082bf798f4ff21f33b63c84cc1407ca33be17793990190b59d2042c

  • SHA512

    5dd02bf6a325befea5ce450b453376bee609b03df562fafdf6603b9e6c84e534e5d13b42aaacf0a99f0ffdc767d529c63fd073c6cf76e193f6268fb54ce8276b

Score
10/10
persistence

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 3 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs
    persistence
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
      "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
      2⤵
      • Executes dropped EXE
      PID:4088
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4328
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
      2⤵
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        PID:4852
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4632
  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    1⤵
      PID:4808
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
      1⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:552

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe
      MD5

      482f6e8cdb127285f003a1e735a3791e

      SHA1

      24205c984f66bf5701e123f6b189699551553936

      SHA256

      a2e7f10da89bb038118a08699a32fe59861304ecd206d2d0f60f966514172559

      SHA512

      20e95b9e19d116239720261af25c66ffa9ae4eb1483af689e374f505d2e1af811bbb28f04f2bdd126f43180cb312375797ec0c193ce5d52cc3757d5a197daf5a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\LoggingPlatform.DLL
      MD5

      f5fe453d483dca5a85fdd74bbbb7cffa

      SHA1

      c7cd1089b520a7a21bdbe84a311b86f4c395a550

      SHA256

      5cbe72a49f2f4a821768e978a7c1426f46d1f73d2bb07325e85b20ada8eb514a

      SHA512

      6e4490d3b09ad3289892eb63f0c2978347095aed0ee282bfe69c5e599735db8a0494c9d0d25e14a2f09ab0c25c2ea75d91e5753c5b9a77ef1d7e647600a77a71

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\MSVCP140.dll
      MD5

      0c6f22feabe8f0fe0f4fca7406e19e48

      SHA1

      c1ff9723bb6c25d27704086521767822b2eb3450

      SHA256

      2895cd42592984d436de580e4ffe64dceaa7fde7c1a1579351d76c6c886432cb

      SHA512

      d58a7ea83e8675ed9d0736760c756642869f4c6c4343432b36605ab1711d65e60a01520f3daafb0023d9add6e7b87887e8f8dc28fc258fbfdc3b1ebfe6a9cedb

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\Telemetry.dll
      MD5

      7bfedf5e7dda62c9014fb4b07f8d7814

      SHA1

      b3bb93818b1c482cff1e965599678ae91fb5ffa9

      SHA256

      a6c2d9050758272d0b43a68f3e50925c65b11353776ec7b8a52a4095c9ba6b39

      SHA512

      de4a7596e4031e2cd91c4484ae3eba873ac96cc96ed54221d2d766010407d83211cd00ad49afb7a4cee1eafc4a3fc46ed0d92c2e30c32e0fe76ae9212e213a9a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\UpdateRingSettings.dll
      MD5

      5888321cc9a6abd980e76b8e359f5cc2

      SHA1

      8b0cf82d39f5c45d710f962bd305fe3aa89c30cd

      SHA256

      0be7e06ff418080feb0cda6d063ac3389028e7c539c88d7a2a5a4706c56f4d7c

      SHA512

      3e56b88f09eaf86b4e05746a1f228be472bd0f6e30b2a66f4319783d03dd21f0ece1d8eef9ca89018cc38117fa27cc6f01e1bebe1450b857205a998542a5390c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\VCRUNTIME140.dll
      MD5

      b33654014faaa8eec2d2985d45fd0792

      SHA1

      b43ce9aa087b18928c1d251205f8cbddda960530

      SHA256

      2cb10ea301da2f6484cf9dbac28d334b10a0bc57df2ad92660bbd01f3c43b268

      SHA512

      66f1df58db0a1faf6bf1e5bf22c1521042f52b38b1cdb4868db9925e800c55a47b23e5d25da9ffad741a3ae8c5678861c3b35c10aa61a2c3858338f841b42702

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
      MD5

      de6439a1aab42bb1b8de75c1adb239d6

      SHA1

      499f6f9ed94a63f478b95fc08481e001f97e1620

      SHA256

      6d6767a2179b97b728ad52a7252fc015a6128d1d54f09280dddff508604b860b

      SHA512

      495e9ff826bd34a0564a8911646c8e162fdee63292d60366b380aa6c627300a09e9deccf2ccbefae6c27a311fc8b708d6f2019d374f4bfb1aae8a5a83e82fb80

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
      MD5

      85ffda25e7f8584420496a45ff114eb5

      SHA1

      1ce8d2d592d1ca1509fb18a3d6cc8a251dc5c5f8

      SHA256

      124701995b3aefba458dc4f654ff2e6c8df014e9ab210525edc031abf24c0491

      SHA512

      5c07a29fc42e81a4591e8dbbea2a641b42a110bb31f4b6458794124246210af805bacd6949b95310038c5f19be392d33be081f2dce3946917e8972e00cc3fa90

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\LoggingPlatform.dll
      MD5

      f5fe453d483dca5a85fdd74bbbb7cffa

      SHA1

      c7cd1089b520a7a21bdbe84a311b86f4c395a550

      SHA256

      5cbe72a49f2f4a821768e978a7c1426f46d1f73d2bb07325e85b20ada8eb514a

      SHA512

      6e4490d3b09ad3289892eb63f0c2978347095aed0ee282bfe69c5e599735db8a0494c9d0d25e14a2f09ab0c25c2ea75d91e5753c5b9a77ef1d7e647600a77a71

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\LoggingPlatform.dll
      MD5

      f5fe453d483dca5a85fdd74bbbb7cffa

      SHA1

      c7cd1089b520a7a21bdbe84a311b86f4c395a550

      SHA256

      5cbe72a49f2f4a821768e978a7c1426f46d1f73d2bb07325e85b20ada8eb514a

      SHA512

      6e4490d3b09ad3289892eb63f0c2978347095aed0ee282bfe69c5e599735db8a0494c9d0d25e14a2f09ab0c25c2ea75d91e5753c5b9a77ef1d7e647600a77a71

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\LoggingPlatform.dll
      MD5

      f5fe453d483dca5a85fdd74bbbb7cffa

      SHA1

      c7cd1089b520a7a21bdbe84a311b86f4c395a550

      SHA256

      5cbe72a49f2f4a821768e978a7c1426f46d1f73d2bb07325e85b20ada8eb514a

      SHA512

      6e4490d3b09ad3289892eb63f0c2978347095aed0ee282bfe69c5e599735db8a0494c9d0d25e14a2f09ab0c25c2ea75d91e5753c5b9a77ef1d7e647600a77a71

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\Telemetry.dll
      MD5

      7bfedf5e7dda62c9014fb4b07f8d7814

      SHA1

      b3bb93818b1c482cff1e965599678ae91fb5ffa9

      SHA256

      a6c2d9050758272d0b43a68f3e50925c65b11353776ec7b8a52a4095c9ba6b39

      SHA512

      de4a7596e4031e2cd91c4484ae3eba873ac96cc96ed54221d2d766010407d83211cd00ad49afb7a4cee1eafc4a3fc46ed0d92c2e30c32e0fe76ae9212e213a9a

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\UpdateRingSettings.dll
      MD5

      5888321cc9a6abd980e76b8e359f5cc2

      SHA1

      8b0cf82d39f5c45d710f962bd305fe3aa89c30cd

      SHA256

      0be7e06ff418080feb0cda6d063ac3389028e7c539c88d7a2a5a4706c56f4d7c

      SHA512

      3e56b88f09eaf86b4e05746a1f228be472bd0f6e30b2a66f4319783d03dd21f0ece1d8eef9ca89018cc38117fa27cc6f01e1bebe1450b857205a998542a5390c

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\msvcp140.dll
      MD5

      0c6f22feabe8f0fe0f4fca7406e19e48

      SHA1

      c1ff9723bb6c25d27704086521767822b2eb3450

      SHA256

      2895cd42592984d436de580e4ffe64dceaa7fde7c1a1579351d76c6c886432cb

      SHA512

      d58a7ea83e8675ed9d0736760c756642869f4c6c4343432b36605ab1711d65e60a01520f3daafb0023d9add6e7b87887e8f8dc28fc258fbfdc3b1ebfe6a9cedb

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\vcruntime140.dll
      MD5

      b33654014faaa8eec2d2985d45fd0792

      SHA1

      b43ce9aa087b18928c1d251205f8cbddda960530

      SHA256

      2cb10ea301da2f6484cf9dbac28d334b10a0bc57df2ad92660bbd01f3c43b268

      SHA512

      66f1df58db0a1faf6bf1e5bf22c1521042f52b38b1cdb4868db9925e800c55a47b23e5d25da9ffad741a3ae8c5678861c3b35c10aa61a2c3858338f841b42702

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\vcruntime140.dll
      MD5

      b33654014faaa8eec2d2985d45fd0792

      SHA1

      b43ce9aa087b18928c1d251205f8cbddda960530

      SHA256

      2cb10ea301da2f6484cf9dbac28d334b10a0bc57df2ad92660bbd01f3c43b268

      SHA512

      66f1df58db0a1faf6bf1e5bf22c1521042f52b38b1cdb4868db9925e800c55a47b23e5d25da9ffad741a3ae8c5678861c3b35c10aa61a2c3858338f841b42702

      Download Submit
    • memory/4088-115-0x0000000000000000-mapping.dmp
      Download
    • memory/4660-117-0x0000000000000000-mapping.dmp
      Download
    • memory/4852-119-0x0000000000000000-mapping.dmp
      Download