250229b0e18bd1532544017c78ae8ca524e597bd43dde2382a009bf866356657

Analysis

max time kernel
39s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

858KB
MD5

8a166942be43113446aaaf849ed936ce
SHA1

96aef6514d29f961b5952c25dfa2edd0878014cf
SHA256

8d4bc9ab5421e83ee60873f0aecbd307bc2e22cabff8e8a6bdf7ab9e2e20f5b5
SHA512

1c291a2792ec7e2a843907dc8074eda018560e51103b2e764b761d6eaea997c61ac41d2e83edd57327618683603bafb84a5052a43b16689cd734c070da7b09bd
SSDEEP

12288:Z2UBGPFJag4vH5QJ2MITDnl+7trXz9PKkoQOd43yOlYxIOxRzgPDh+WNNynWD6Yy:Z2UEPFJag8dfvnKdKkJhllqIPsOMM6r

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1892	setup.tmp

Loads dropped DLL 3 IoCs

pid	Process
1280	setup.exe
1892	setup.tmp
1892	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1892	1280	setup.exe	28
PID 1280 wrote to memory of 1892	1280	setup.exe	28
PID 1280 wrote to memory of 1892	1280	setup.exe	28
PID 1280 wrote to memory of 1892	1280	setup.exe	28
PID 1280 wrote to memory of 1892	1280	setup.exe	28
PID 1280 wrote to memory of 1892	1280	setup.exe	28
PID 1280 wrote to memory of 1892	1280	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\is-V4EIJ.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-V4EIJ.tmp\setup.tmp" /SL5="$60124,609633,53248,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-V4EIJ.tmp\setup.tmp

Filesize
665KB

MD5
9e30ab5e3f6b43f69f928e6b4fcfd604

SHA1
b110f04114c52f2439715cbad3769250dbcdb1b3

SHA256
affbe7f0320f9602d8c51468ecb7bc7960df4f62ab1a36c05ac2fe2816d175ba

SHA512
8d751d8c8023bbd54ea2ea0969ad9f379d8bf1066980fdd58007e778bdf654e4e13264ac8917be91ac8583ea9ae5536ca600530f413cbd887c234ec60be5a45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V4EIJ.tmp\setup.tmp

Filesize
665KB

MD5
9e30ab5e3f6b43f69f928e6b4fcfd604

SHA1
b110f04114c52f2439715cbad3769250dbcdb1b3

SHA256
affbe7f0320f9602d8c51468ecb7bc7960df4f62ab1a36c05ac2fe2816d175ba

SHA512
8d751d8c8023bbd54ea2ea0969ad9f379d8bf1066980fdd58007e778bdf654e4e13264ac8917be91ac8583ea9ae5536ca600530f413cbd887c234ec60be5a45d

Download Submit
\Users\Admin\AppData\Local\Temp\is-UEOIF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UEOIF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-V4EIJ.tmp\setup.tmp

Filesize
665KB

MD5
9e30ab5e3f6b43f69f928e6b4fcfd604

SHA1
b110f04114c52f2439715cbad3769250dbcdb1b3

SHA256
affbe7f0320f9602d8c51468ecb7bc7960df4f62ab1a36c05ac2fe2816d175ba

SHA512
8d751d8c8023bbd54ea2ea0969ad9f379d8bf1066980fdd58007e778bdf654e4e13264ac8917be91ac8583ea9ae5536ca600530f413cbd887c234ec60be5a45d

Download Submit
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1280-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download