Overview

overview

10

Static

static

8

setup.exe

windows7_x64

10

setup.exe

windows10_x64

8

Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    10-12-2021 07:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    87.0MB

  • MD5

    15d1ff4e15e0bbf16b23399c496c4759

  • SHA1

    841dab2c6d373b4384ee053ea6788dba65160ba7

  • SHA256

    8b45a1d20ee96da3d81d3a5bad7c71f99a20fa9a7aae47068abff6c50f912902

  • SHA512

    6b46b34b1f0635b22ff7770d0428eaf33aadb4187a839d7ad5971992f228b4224f7d8665b3576de448d9c63e5983bf2d4edf6b380686a3c5ef30a9ba5425d37c

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Users\Admin\AppData\Local\Temp\Symantec\SsaWrapper.exe
      "SsaWrapper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3820
      • C:\Users\Admin\AppData\Local\Temp\Symantec\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Symantec\Setup.exe" /s /w
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4028
        • C:\Windows\system32\pcaui.exe
          "C:\Windows\system32\pcaui.exe" /g {11111111-1111-1111-1111-111111111111} /x {ab91612d-df36-4cbe-9df7-83dcac049825} /a "Symantec Endpoint Protection" /v "Symantec" /s "Symantec Endpoint Protection is incompatible with this version of Windows. For more information, contact Symantec." /b 2 /f 0 /k 0 /e "C:\Users\Admin\AppData\Local\Temp\Symantec\Setup.exe"
          4⤵
            PID:4212

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Symantec\Setup.exe
      MD5

      964f1ea9384d72735b92e20379390543

      SHA1

      4ae1b8d48301a28da6a1766208d5043c5afcbe9d

      SHA256

      3385a845c8c344bb82b5154a5abf53db23e6a3187d5137520ea70bda26ce22ab

      SHA512

      3d0930ba241b67e49358f0787f815baff45d2931cca488925b646eda4a9205cad538f422b45436a3d7fcefc3e3cb5dccc8eb1ee606186503e011b7747f7f1584

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Symantec\Setup.exe
      MD5

      964f1ea9384d72735b92e20379390543

      SHA1

      4ae1b8d48301a28da6a1766208d5043c5afcbe9d

      SHA256

      3385a845c8c344bb82b5154a5abf53db23e6a3187d5137520ea70bda26ce22ab

      SHA512

      3d0930ba241b67e49358f0787f815baff45d2931cca488925b646eda4a9205cad538f422b45436a3d7fcefc3e3cb5dccc8eb1ee606186503e011b7747f7f1584

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Symantec\SsaWrapper.exe
      MD5

      b1e88978f05e35b55e44b5f8f1fa34f9

      SHA1

      9bc53365599c6897cbc2d11b483b4e8efc24c6dc

      SHA256

      38262bac11289042fcbc443d625c2e0f637374e58bc2cfa8234e1966a057409d

      SHA512

      4c91657ff3f7ff03340faf15f4f91150ffe8f88d0424e6d2dfa9a60c1aca4f9c14449525a42ca6fe00d21196f0ebe379c83506594d902137ca7262d3bc1ddf73

      Download Submit
    • memory/3820-118-0x0000000000000000-mapping.dmp
      Download
    • memory/4028-121-0x0000000000000000-mapping.dmp
      Download
    • memory/4212-123-0x0000000000000000-mapping.dmp
      Download