Analysis
-
max time kernel
62s -
max time network
16s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-10-2021 14:42
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10-en-20210920
General
-
Target
setup.exe
-
Size
379KB
-
MD5
3329dc6e93761fd9597063f368ea952c
-
SHA1
bc1e6f6a5d19ae794547f3c7e78f6bc0dadc7d3f
-
SHA256
cc5c6a78feac84ff7936e15863c4d4b02cab421b8c09c4735212bf8dbb07adfb
-
SHA512
9ac13f9f210d87fa29ebc5c9440abc43550a045ea9816d21b1ea8f0532d4dbe262e6842a1dddbcd61eb40cab9b62f7c2f1e8ad361c7cca7a6a84230be3bdfda9
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
setup.tmpsetup.tmppostback.exepid process 756 setup.tmp 1500 setup.tmp 1912 postback.exe -
Loads dropped DLL 12 IoCs
Processes:
setup.exesetup.tmpsetup.exesetup.tmppid process 1764 setup.exe 756 setup.tmp 756 setup.tmp 756 setup.tmp 612 setup.exe 1500 setup.tmp 1500 setup.tmp 1500 setup.tmp 1500 setup.tmp 1500 setup.tmp 1200 1200 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
Processes:
setup.tmpdescription ioc process File created C:\Program Files (x86)\FarLabUninstaller\is-27RP4.tmp setup.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
setup.tmppid process 1500 setup.tmp 1500 setup.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
setup.tmppid process 1500 setup.tmp -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
setup.exesetup.tmpsetup.exesetup.tmpdescription pid process target process PID 1764 wrote to memory of 756 1764 setup.exe setup.tmp PID 1764 wrote to memory of 756 1764 setup.exe setup.tmp PID 1764 wrote to memory of 756 1764 setup.exe setup.tmp PID 1764 wrote to memory of 756 1764 setup.exe setup.tmp PID 1764 wrote to memory of 756 1764 setup.exe setup.tmp PID 1764 wrote to memory of 756 1764 setup.exe setup.tmp PID 1764 wrote to memory of 756 1764 setup.exe setup.tmp PID 756 wrote to memory of 612 756 setup.tmp setup.exe PID 756 wrote to memory of 612 756 setup.tmp setup.exe PID 756 wrote to memory of 612 756 setup.tmp setup.exe PID 756 wrote to memory of 612 756 setup.tmp setup.exe PID 756 wrote to memory of 612 756 setup.tmp setup.exe PID 756 wrote to memory of 612 756 setup.tmp setup.exe PID 756 wrote to memory of 612 756 setup.tmp setup.exe PID 612 wrote to memory of 1500 612 setup.exe setup.tmp PID 612 wrote to memory of 1500 612 setup.exe setup.tmp PID 612 wrote to memory of 1500 612 setup.exe setup.tmp PID 612 wrote to memory of 1500 612 setup.exe setup.tmp PID 612 wrote to memory of 1500 612 setup.exe setup.tmp PID 612 wrote to memory of 1500 612 setup.exe setup.tmp PID 612 wrote to memory of 1500 612 setup.exe setup.tmp PID 1500 wrote to memory of 1912 1500 setup.tmp postback.exe PID 1500 wrote to memory of 1912 1500 setup.tmp postback.exe PID 1500 wrote to memory of 1912 1500 setup.tmp postback.exe PID 1500 wrote to memory of 1912 1500 setup.tmp postback.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\is-FC5F3.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-FC5F3.tmp\setup.tmp" /SL5="$40158,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Users\Admin\AppData\Local\Temp\is-N1J17.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-N1J17.tmp\setup.tmp" /SL5="$50158,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\is-14RBP.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-14RBP.tmp\postback.exe" ss15⤵
- Executes dropped EXE
PID:1912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-14RBP.tmp\postback.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
C:\Users\Admin\AppData\Local\Temp\is-FC5F3.tmp\setup.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-N1J17.tmp\setup.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-N1J17.tmp\setup.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
\Users\Admin\AppData\Local\Temp\is-14RBP.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-14RBP.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-14RBP.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
\Users\Admin\AppData\Local\Temp\is-14RBP.tmp\postback.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
\Users\Admin\AppData\Local\Temp\is-14RBP.tmp\postback.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
\Users\Admin\AppData\Local\Temp\is-14RBP.tmp\postback.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
\Users\Admin\AppData\Local\Temp\is-14RBP.tmp\postback.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
\Users\Admin\AppData\Local\Temp\is-66A4S.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-66A4S.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-66A4S.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
\Users\Admin\AppData\Local\Temp\is-FC5F3.tmp\setup.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
\Users\Admin\AppData\Local\Temp\is-N1J17.tmp\setup.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
memory/612-65-0x0000000000000000-mapping.dmp
-
memory/612-75-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/756-57-0x0000000000000000-mapping.dmp
-
memory/756-64-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1500-76-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1500-69-0x0000000000000000-mapping.dmp
-
memory/1764-54-0x0000000074F21000-0x0000000074F23000-memory.dmpFilesize
8KB
-
memory/1764-63-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1912-80-0x0000000000000000-mapping.dmp
-
memory/1912-82-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB