Overview

overview

10

Static

static

Setup.exe

windows10-2004_x64

10

Resubmissions

04-06-2023 21:35

230604-1fcwgadg89 10

13-02-2022 03:16

220213-dsq8asfbej 10

13-02-2022 03:12

220213-dqagrsdda9 10

13-02-2022 03:11

220213-dpxwnsfbdq 1

06-12-2021 20:39

211206-zflypsfahr 10

19-10-2021 03:48

211019-ec1mgafbf7 10

11-08-2021 05:28

210811-rjsxfvjxd2 10

11-08-2021 05:07

210811-rs31ylg4ls 10

11-08-2021 04:56

210811-tvaldfm4jx 10

Analysis

  • max time kernel
    49s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    13-02-2022 03:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    1.6MB

  • MD5

    ce6eaa52767b2df78b34519231966588

  • SHA1

    ab32d09951189022a1a39e9204ec9ce2926b3fcf

  • SHA256

    40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5

  • SHA512

    36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067

Score
10/10
evasionspywarestealersuricatatrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    PID:2716
    • C:\Users\Admin\Documents\QcYpdXYoUw1ndXTzBbCh9OCq.exe
      "C:\Users\Admin\Documents\QcYpdXYoUw1ndXTzBbCh9OCq.exe"
      2⤵
        PID:3488
      • C:\Users\Admin\Documents\_C73kS_G445gOisXmesrjCXH.exe
        "C:\Users\Admin\Documents\_C73kS_G445gOisXmesrjCXH.exe"
        2⤵
          PID:1280
        • C:\Users\Admin\Documents\ynEvi3qtYjlIooadkc0mVXNT.exe
          "C:\Users\Admin\Documents\ynEvi3qtYjlIooadkc0mVXNT.exe"
          2⤵
            PID:996
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:3480
        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1708
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:8

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Disabling Security Tools

        1
        T1089

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        4
        T1082

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Documents\QcYpdXYoUw1ndXTzBbCh9OCq.exe
          MD5

          ee81823510c7391a52f853ecbd1282b6

          SHA1

          478e3ae5cbe226bf29f4d8fde7a2baa6673bebeb

          SHA256

          ce3ec779c528571158b82f07eee30fb5eb847dcac895f06fc4d74925ca447627

          SHA512

          c5ffba4a24d47b9d5f1cd77b61844f6b03a0878de1b6f0649a6193ad9e101a64992e922d2c75f43493016f1107ff9b23935dccecc8b4576846f67422dc7aa981

          Download Submit
        • C:\Users\Admin\Documents\QcYpdXYoUw1ndXTzBbCh9OCq.exe
          MD5

          6c17ff6ad012de22c3e0c652eb9672c1

          SHA1

          b4dcaf675109c28dfadabf697df937e3a080725d

          SHA256

          d33da5fef29c522ce94acac108973f1d85285391a209d5597cd30f4f4bffc414

          SHA512

          4a71e08493c3ad647493d62746c20c300b9c144ad94c20ec05ce2d9a2909a6cd9d73878d52e665567ce133e5235c0f2672416381f04c202065d61b2e6fd4f05e

          Download Submit
        • C:\Users\Admin\Documents\_C73kS_G445gOisXmesrjCXH.exe
          MD5

          c73bcfe56183ee77e0c49251983aa9dc

          SHA1

          b29e427d6157eb63161aa3a399c380dd7b8d9735

          SHA256

          f427c6500a5fdaf1b4d9c4c85b112687abb0798d53618578f640cb5a8bfb7209

          SHA512

          4cd204c233ef7b0d4f8a3d9096d07e9b00f07ca3d4d12f55f3b6691a138698a9769ff4e8208a6ed714ed1d5d406f8b812654083c230ad23e920c93ec72860142

          Download Submit
        • C:\Users\Admin\Documents\ynEvi3qtYjlIooadkc0mVXNT.exe
          MD5

          c164b3640bf25e69cf0073d13818b91a

          SHA1

          fd4f5c3e59ed1de5897f115db27e3f70cd484a56

          SHA256

          b9432ae4373381a2b070dca8bae2db0079337a82f57c04c2348119d444e9205c

          SHA512

          8f1a9848d32fcb43a2893f9255015e588d24bce96b050e3f2ba05ad2e85753eb027a6afacbad6bd1e44d7dc7adce8f343b8497bc112b329eb395608661c2e6e7

          Download Submit
        • \??\c:\users\admin\documents\ynevi3qtyjliooadkc0mvxnt.exe
          MD5

          e77d996b10ad6f70e2f76fb701f7b47b

          SHA1

          bc161b7446382a3881248f6a31a95a52af9963e2

          SHA256

          8fa138e63357118d4462b2c34526edf615873666acfa069d68ac52b37f70cc0a

          SHA512

          00a1195509d83733a41e2467cc2f5cbfcbd0589ae0bc032c486a5cd2a6ee78d4ad873426a90793f433ecfb559bc18bc3c77d211cecf7d8777bfb0f52ee38e7ed

          Download Submit
        • memory/3480-130-0x0000029238330000-0x0000029238340000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3480-131-0x0000029238390000-0x00000292383A0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3480-132-0x000002923B070000-0x000002923B074000-memory.dmp
          Filesize

          16KB

          Download