996f884cba8ebd5af190ece5f3c47b408474e4b8a0ca64949588f521bab6377e

Analysis

max time kernel
203s
max time network
286s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10901268/Setup.exe
Size

480KB
MD5

932434ecfebbf4597b2e708533c2bf1c
SHA1

b862f0aa85324dfc7dc3c51a851f1a75caf9cf5c
SHA256

157d305f19831bbe0b1a4c4df56069a234361fec11ae9c02bab77f1af641b97b
SHA512

595d259393a0ec35cda136eb26c0f26103e3981afb1ae2e92085eb39a3b5b8a3c59bb2971e66e2155842ad527d10584414ded258a046fa57b9cb535186c7977a
SSDEEP

12288:+kTyXmk77qAXxm+o5TQgu6NhR5MDoSuDF8rm:TMmkP7I+o5TqsaY

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
608	DyWizardUp.exe
1320	Setup.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral11/memory/1492-55-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral11/files/0x000b0000000122f2-57.dat	upx
behavioral11/files/0x000b0000000122f2-59.dat	upx
behavioral11/memory/1492-61-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral11/files/0x000b0000000122f2-63.dat	upx
behavioral11/files/0x000b0000000122f2-62.dat	upx
behavioral11/files/0x000b0000000122f2-65.dat	upx
behavioral11/files/0x000b0000000122f2-64.dat	upx
behavioral11/memory/608-66-0x0000000000350000-0x00000000003E6000-memory.dmp	upx
behavioral11/memory/608-69-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral11/memory/608-73-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral11/files/0x0007000000012722-74.dat	upx
behavioral11/memory/608-75-0x0000000004040000-0x000000000433F000-memory.dmp	upx
behavioral11/memory/608-79-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral11/files/0x0007000000012722-77.dat	upx
behavioral11/files/0x0007000000012722-80.dat	upx
behavioral11/files/0x0007000000012722-81.dat	upx
behavioral11/files/0x0007000000012722-82.dat	upx
behavioral11/memory/1320-84-0x0000000000D00000-0x0000000000FFF000-memory.dmp	upx
behavioral11/memory/1320-85-0x0000000000400000-0x00000000006FF000-memory.dmp	upx
behavioral11/memory/1320-88-0x0000000000400000-0x00000000006FF000-memory.dmp	upx

Loads dropped DLL 7 IoCs

pid	Process
1492	Setup.exe
608	DyWizardUp.exe
608	DyWizardUp.exe
608	DyWizardUp.exe
608	DyWizardUp.exe
1320	Setup.exe
1320	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1492	Setup.exe
1492	Setup.exe
608	DyWizardUp.exe
608	DyWizardUp.exe
1320	Setup.exe
1320	Setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 608	1492	Setup.exe	29
PID 1492 wrote to memory of 608	1492	Setup.exe	29
PID 1492 wrote to memory of 608	1492	Setup.exe	29
PID 1492 wrote to memory of 608	1492	Setup.exe	29
PID 1492 wrote to memory of 608	1492	Setup.exe	29
PID 1492 wrote to memory of 608	1492	Setup.exe	29
PID 1492 wrote to memory of 608	1492	Setup.exe	29
PID 608 wrote to memory of 1320	608	DyWizardUp.exe	31
PID 608 wrote to memory of 1320	608	DyWizardUp.exe	31
PID 608 wrote to memory of 1320	608	DyWizardUp.exe	31
PID 608 wrote to memory of 1320	608	DyWizardUp.exe	31
PID 608 wrote to memory of 1320	608	DyWizardUp.exe	31
PID 608 wrote to memory of 1320	608	DyWizardUp.exe	31
PID 608 wrote to memory of 1320	608	DyWizardUp.exe	31

C:\Users\Admin\AppData\Local\Temp\10901268\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\10901268\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\DyWizardUp.exe
  "C:\Users\Admin\AppData\Local\Temp\DyWizardUp.exe" "http://soft.doyo.cn/update/Setup_20190915.exe|1675464|C:\Users\Admin\AppData\Local\Temp\10901268\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Users\Admin\AppData\Local\Temp\10901268\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\10901268\Setup.exe" doyo
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10901268\Setup.exe

Filesize
1.6MB

MD5
c08bc60f1cbdf5e23f055342eed049ec

SHA1
c1c6b3de74a9914f59b6a36ee4ade705d266eabc

SHA256
d76335977ce4bd0b7d9ad84abe5a880e62628c74ad47ffe563dc545d589c3a1a

SHA512
8c687ccefae15ae5622af35aae71df7b51737dc7be3b2df55c7853d98cdf818f7627b823d7857930bb4c3c3d3e56de0f874c5491355bb58ff766373e053c8d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10901268\Setup.exe

Filesize
1.6MB

MD5
c08bc60f1cbdf5e23f055342eed049ec

SHA1
c1c6b3de74a9914f59b6a36ee4ade705d266eabc

SHA256
d76335977ce4bd0b7d9ad84abe5a880e62628c74ad47ffe563dc545d589c3a1a

SHA512
8c687ccefae15ae5622af35aae71df7b51737dc7be3b2df55c7853d98cdf818f7627b823d7857930bb4c3c3d3e56de0f874c5491355bb58ff766373e053c8d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DyWizardUp.exe

Filesize
215KB

MD5
fbbd9cf4cbcb98d7b5c2dcd0abab12f9

SHA1
15d8b92eac73bc9fea14be398615435d87651ccc

SHA256
3c3a03a2482204e928b69f9ee6fcf291793af205e583d0e80f5f25974c0cbbfd

SHA512
aac023738c7caf1adf149bb220ea6aa9cb9c15f6ffe228b55d9f306373539f32d7a8aa70695592e3c61a1808db2aa0151f8829327bc213ee4306aefb78a191ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DyWizardUp.exe

Filesize
215KB

MD5
fbbd9cf4cbcb98d7b5c2dcd0abab12f9

SHA1
15d8b92eac73bc9fea14be398615435d87651ccc

SHA256
3c3a03a2482204e928b69f9ee6fcf291793af205e583d0e80f5f25974c0cbbfd

SHA512
aac023738c7caf1adf149bb220ea6aa9cb9c15f6ffe228b55d9f306373539f32d7a8aa70695592e3c61a1808db2aa0151f8829327bc213ee4306aefb78a191ae

Download Submit
\Users\Admin\AppData\Local\Temp\10901268\Setup.exe

Filesize
1.6MB

MD5
c08bc60f1cbdf5e23f055342eed049ec

SHA1
c1c6b3de74a9914f59b6a36ee4ade705d266eabc

SHA256
d76335977ce4bd0b7d9ad84abe5a880e62628c74ad47ffe563dc545d589c3a1a

SHA512
8c687ccefae15ae5622af35aae71df7b51737dc7be3b2df55c7853d98cdf818f7627b823d7857930bb4c3c3d3e56de0f874c5491355bb58ff766373e053c8d6e

Download Submit
\Users\Admin\AppData\Local\Temp\10901268\Setup.exe

Filesize
1.6MB

MD5
c08bc60f1cbdf5e23f055342eed049ec

SHA1
c1c6b3de74a9914f59b6a36ee4ade705d266eabc

SHA256
d76335977ce4bd0b7d9ad84abe5a880e62628c74ad47ffe563dc545d589c3a1a

SHA512
8c687ccefae15ae5622af35aae71df7b51737dc7be3b2df55c7853d98cdf818f7627b823d7857930bb4c3c3d3e56de0f874c5491355bb58ff766373e053c8d6e

Download Submit
\Users\Admin\AppData\Local\Temp\10901268\Setup.exe

Filesize
1.6MB

MD5
c08bc60f1cbdf5e23f055342eed049ec

SHA1
c1c6b3de74a9914f59b6a36ee4ade705d266eabc

SHA256
d76335977ce4bd0b7d9ad84abe5a880e62628c74ad47ffe563dc545d589c3a1a

SHA512
8c687ccefae15ae5622af35aae71df7b51737dc7be3b2df55c7853d98cdf818f7627b823d7857930bb4c3c3d3e56de0f874c5491355bb58ff766373e053c8d6e

Download Submit
\Users\Admin\AppData\Local\Temp\DyWizardUp.exe

Filesize
215KB

MD5
fbbd9cf4cbcb98d7b5c2dcd0abab12f9

SHA1
15d8b92eac73bc9fea14be398615435d87651ccc

SHA256
3c3a03a2482204e928b69f9ee6fcf291793af205e583d0e80f5f25974c0cbbfd

SHA512
aac023738c7caf1adf149bb220ea6aa9cb9c15f6ffe228b55d9f306373539f32d7a8aa70695592e3c61a1808db2aa0151f8829327bc213ee4306aefb78a191ae

Download Submit
\Users\Admin\AppData\Local\Temp\DyWizardUp.exe

Filesize
215KB

MD5
fbbd9cf4cbcb98d7b5c2dcd0abab12f9

SHA1
15d8b92eac73bc9fea14be398615435d87651ccc

SHA256
3c3a03a2482204e928b69f9ee6fcf291793af205e583d0e80f5f25974c0cbbfd

SHA512
aac023738c7caf1adf149bb220ea6aa9cb9c15f6ffe228b55d9f306373539f32d7a8aa70695592e3c61a1808db2aa0151f8829327bc213ee4306aefb78a191ae

Download Submit
\Users\Admin\AppData\Local\Temp\DyWizardUp.exe

Filesize
215KB

MD5
fbbd9cf4cbcb98d7b5c2dcd0abab12f9

SHA1
15d8b92eac73bc9fea14be398615435d87651ccc

SHA256
3c3a03a2482204e928b69f9ee6fcf291793af205e583d0e80f5f25974c0cbbfd

SHA512
aac023738c7caf1adf149bb220ea6aa9cb9c15f6ffe228b55d9f306373539f32d7a8aa70695592e3c61a1808db2aa0151f8829327bc213ee4306aefb78a191ae

Download Submit
\Users\Admin\AppData\Local\Temp\DyWizardUp.exe

Filesize
215KB

MD5
fbbd9cf4cbcb98d7b5c2dcd0abab12f9

SHA1
15d8b92eac73bc9fea14be398615435d87651ccc

SHA256
3c3a03a2482204e928b69f9ee6fcf291793af205e583d0e80f5f25974c0cbbfd

SHA512
aac023738c7caf1adf149bb220ea6aa9cb9c15f6ffe228b55d9f306373539f32d7a8aa70695592e3c61a1808db2aa0151f8829327bc213ee4306aefb78a191ae

Download Submit
memory/608-66-0x0000000000350000-0x00000000003E6000-memory.dmp

Filesize
600KB

Download
memory/608-79-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/608-68-0x0000000000350000-0x00000000003E6000-memory.dmp

Filesize
600KB

Download
memory/608-69-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/608-70-0x0000000000350000-0x00000000003E6000-memory.dmp

Filesize
600KB

Download
memory/608-71-0x0000000000350000-0x00000000003E6000-memory.dmp

Filesize
600KB

Download
memory/608-73-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/608-72-0x0000000000350000-0x00000000003E6000-memory.dmp

Filesize
600KB

Download
memory/608-67-0x0000000000350000-0x00000000003E6000-memory.dmp

Filesize
600KB

Download
memory/608-75-0x0000000004040000-0x000000000433F000-memory.dmp

Filesize
3.0MB

Download
memory/1320-83-0x0000000000D00000-0x0000000000FFF000-memory.dmp

Filesize
3.0MB

Download
memory/1320-84-0x0000000000D00000-0x0000000000FFF000-memory.dmp

Filesize
3.0MB

Download
memory/1320-85-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/1320-86-0x0000000000D00000-0x0000000000FFF000-memory.dmp

Filesize
3.0MB

Download
memory/1320-87-0x0000000000D00000-0x0000000000FFF000-memory.dmp

Filesize
3.0MB

Download
memory/1320-88-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/1492-56-0x0000000000560000-0x00000000006B7000-memory.dmp

Filesize
1.3MB

Download
memory/1492-55-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1492-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1492-61-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download