Overview

overview

8

Static

static

Setup12.exe_.exe

windows7_x64

8

Setup12.exe_.exe

windows10_x64

8

Analysis

  • max time kernel
    136s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    24-10-2021 04:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup12.exe_.exe

  • Size

    3.0MB

  • MD5

    96c6b5a436880dca627c18da77fb7048

  • SHA1

    c906eb0bd5caad620137a1f83fca4eaba4654022

  • SHA256

    1617312694ff78615ceee4b38553cd2c7f3a0819a94de39e09dcdd3800c1ce1c

  • SHA512

    277fb59ff99fc47e309883f159de5bc1ecbd4d03d19813697bd1bdd995cb48046b7fa62ca4aab337c776acd25c80cbd182466e9783ddd47f2601670736fad454

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup12.exe_.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup12.exe_.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
      "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
      2⤵
      • Executes dropped EXE
      PID:1168
    • C:\Program Files (x86)\Company\NewProduct\inst3.exe
      "C:\Program Files (x86)\Company\NewProduct\inst3.exe"
      2⤵
      • Executes dropped EXE
      PID:1516
    • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
      "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1924
    • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
      "C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1292

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
    MD5

    17f6f3213a5a5d2fb1ef8793081c5ddd

    SHA1

    4601bd223fd7c52b12bc186ec9a0eb94167aaebb

    SHA256

    6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

    SHA512

    b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
    MD5

    17f6f3213a5a5d2fb1ef8793081c5ddd

    SHA1

    4601bd223fd7c52b12bc186ec9a0eb94167aaebb

    SHA256

    6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

    SHA512

    b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    MD5

    07e143efd03815a3b8c8b90e7e5776f0

    SHA1

    077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

    SHA256

    32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

    SHA512

    79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\inst3.exe
    MD5

    a41adbdafc72a86a7a74c494659954b4

    SHA1

    d43696a0e3704a141fc0cf6a1098525c00ce882f

    SHA256

    d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

    SHA512

    44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    MD5

    12ef159d590b06aa7673987b5b66df62

    SHA1

    0daaa15a5880766b22318e58dc7895f5c5a3f8dc

    SHA256

    c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

    SHA512

    c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    MD5

    12ef159d590b06aa7673987b5b66df62

    SHA1

    0daaa15a5880766b22318e58dc7895f5c5a3f8dc

    SHA256

    c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

    SHA512

    c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

    Download Submit

  • \Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
    MD5

    17f6f3213a5a5d2fb1ef8793081c5ddd

    SHA1

    4601bd223fd7c52b12bc186ec9a0eb94167aaebb

    SHA256

    6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

    SHA512

    b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

    Download Submit

  • \Program Files (x86)\Company\NewProduct\cutm3.exe
    MD5

    07e143efd03815a3b8c8b90e7e5776f0

    SHA1

    077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

    SHA256

    32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

    SHA512

    79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

    Download Submit

  • \Program Files (x86)\Company\NewProduct\inst3.exe
    MD5

    a41adbdafc72a86a7a74c494659954b4

    SHA1

    d43696a0e3704a141fc0cf6a1098525c00ce882f

    SHA256

    d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

    SHA512

    44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

    Download Submit

  • \Program Files (x86)\Company\NewProduct\md8_8eus.exe
    MD5

    12ef159d590b06aa7673987b5b66df62

    SHA1

    0daaa15a5880766b22318e58dc7895f5c5a3f8dc

    SHA256

    c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

    SHA512

    c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

    Download Submit

  • memory/836-55-0x0000000076531000-0x0000000076533000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1168-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1292-77-0x000000001B000000-0x000000001B002000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1292-75-0x0000000000E60000-0x0000000000E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1292-69-0x0000000000000000-mapping.dmp

    Download

  • memory/1516-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1516-64-0x0000000000160000-0x0000000000172000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1516-63-0x00000000000F0000-0x0000000000100000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1924-66-0x0000000000000000-mapping.dmp

    Download

  • memory/1924-74-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1924-78-0x0000000000F90000-0x0000000000FA0000-memory.dmp

    Filesize

    64KB

    Download