Resubmissions
04-06-2023 21:35
230604-1fcwgadg89 1013-02-2022 03:16
220213-dsq8asfbej 1013-02-2022 03:12
220213-dqagrsdda9 1013-02-2022 03:11
220213-dpxwnsfbdq 106-12-2021 20:39
211206-zflypsfahr 1019-10-2021 03:48
211019-ec1mgafbf7 1011-08-2021 05:28
210811-rjsxfvjxd2 1011-08-2021 05:07
210811-rs31ylg4ls 1011-08-2021 04:56
210811-tvaldfm4jx 10Analysis
-
max time kernel
49s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
13-02-2022 03:16
Static task
static1
General
-
Target
Setup.exe
-
Size
1.6MB
-
MD5
ce6eaa52767b2df78b34519231966588
-
SHA1
ab32d09951189022a1a39e9204ec9ce2926b3fcf
-
SHA256
40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
-
SHA512
36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067
Malware Config
Signatures
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ipinfo.io 16 ipinfo.io -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
taskmgr.exeSetup.exepid process 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 2716 Setup.exe 2716 Setup.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3480 svchost.exe Token: SeCreatePagefilePrivilege 3480 svchost.exe Token: SeShutdownPrivilege 3480 svchost.exe Token: SeCreatePagefilePrivilege 3480 svchost.exe Token: SeShutdownPrivilege 3480 svchost.exe Token: SeCreatePagefilePrivilege 3480 svchost.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe Token: SeRestorePrivilege 1708 TiWorker.exe Token: SeSecurityPrivilege 1708 TiWorker.exe Token: SeBackupPrivilege 1708 TiWorker.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
taskmgr.exepid process 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe -
Suspicious use of SendNotifyMessage 36 IoCs
Processes:
taskmgr.exepid process 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\QcYpdXYoUw1ndXTzBbCh9OCq.exe"C:\Users\Admin\Documents\QcYpdXYoUw1ndXTzBbCh9OCq.exe"2⤵
-
C:\Users\Admin\Documents\_C73kS_G445gOisXmesrjCXH.exe"C:\Users\Admin\Documents\_C73kS_G445gOisXmesrjCXH.exe"2⤵
-
C:\Users\Admin\Documents\ynEvi3qtYjlIooadkc0mVXNT.exe"C:\Users\Admin\Documents\ynEvi3qtYjlIooadkc0mVXNT.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\QcYpdXYoUw1ndXTzBbCh9OCq.exeMD5
ee81823510c7391a52f853ecbd1282b6
SHA1478e3ae5cbe226bf29f4d8fde7a2baa6673bebeb
SHA256ce3ec779c528571158b82f07eee30fb5eb847dcac895f06fc4d74925ca447627
SHA512c5ffba4a24d47b9d5f1cd77b61844f6b03a0878de1b6f0649a6193ad9e101a64992e922d2c75f43493016f1107ff9b23935dccecc8b4576846f67422dc7aa981
-
C:\Users\Admin\Documents\QcYpdXYoUw1ndXTzBbCh9OCq.exeMD5
6c17ff6ad012de22c3e0c652eb9672c1
SHA1b4dcaf675109c28dfadabf697df937e3a080725d
SHA256d33da5fef29c522ce94acac108973f1d85285391a209d5597cd30f4f4bffc414
SHA5124a71e08493c3ad647493d62746c20c300b9c144ad94c20ec05ce2d9a2909a6cd9d73878d52e665567ce133e5235c0f2672416381f04c202065d61b2e6fd4f05e
-
C:\Users\Admin\Documents\_C73kS_G445gOisXmesrjCXH.exeMD5
c73bcfe56183ee77e0c49251983aa9dc
SHA1b29e427d6157eb63161aa3a399c380dd7b8d9735
SHA256f427c6500a5fdaf1b4d9c4c85b112687abb0798d53618578f640cb5a8bfb7209
SHA5124cd204c233ef7b0d4f8a3d9096d07e9b00f07ca3d4d12f55f3b6691a138698a9769ff4e8208a6ed714ed1d5d406f8b812654083c230ad23e920c93ec72860142
-
C:\Users\Admin\Documents\ynEvi3qtYjlIooadkc0mVXNT.exeMD5
c164b3640bf25e69cf0073d13818b91a
SHA1fd4f5c3e59ed1de5897f115db27e3f70cd484a56
SHA256b9432ae4373381a2b070dca8bae2db0079337a82f57c04c2348119d444e9205c
SHA5128f1a9848d32fcb43a2893f9255015e588d24bce96b050e3f2ba05ad2e85753eb027a6afacbad6bd1e44d7dc7adce8f343b8497bc112b329eb395608661c2e6e7
-
\??\c:\users\admin\documents\ynevi3qtyjliooadkc0mvxnt.exeMD5
e77d996b10ad6f70e2f76fb701f7b47b
SHA1bc161b7446382a3881248f6a31a95a52af9963e2
SHA2568fa138e63357118d4462b2c34526edf615873666acfa069d68ac52b37f70cc0a
SHA51200a1195509d83733a41e2467cc2f5cbfcbd0589ae0bc032c486a5cd2a6ee78d4ad873426a90793f433ecfb559bc18bc3c77d211cecf7d8777bfb0f52ee38e7ed
-
memory/3480-130-0x0000029238330000-0x0000029238340000-memory.dmpFilesize
64KB
-
memory/3480-131-0x0000029238390000-0x00000292383A0000-memory.dmpFilesize
64KB
-
memory/3480-132-0x000002923B070000-0x000002923B074000-memory.dmpFilesize
16KB