d5c1c64135fad708c51d88ecc889a1b50404bfd3233f01a7b5f0d26b2c718b2e

General

Target

Setup.exe
Size

837.3MB
MD5

bf6b5f2d76fb058e3e6a38cbdbdd22a5
SHA1

dfef116bd3994f05476040608d63fd8af19d09d7
SHA256

b2f86cda9f22b4adc43c5bb08dfc2625619ab487c5f172b35ce190ac6d8782a9
SHA512

c06b9dc975d707038efc2a88c45f629fa3944bc5b7ecf2d979e5f8db52e60b161f42e82de92c7ed80482acb90bac436eeda77407047efab943380de72d57e9f4
SSDEEP

12288:PO5wC1Qx3/FeGLO9g4afrfYF3pVIyZZ8tfX9D6V01lpnOrsPgi:25wslGLacfYF8yEtftGY/Or+h

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 1872 set thread context of 584 1872 Setup.exe Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1872 set thread context of 584	1872	Setup.exe	Setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exepowershell.exe

pid	process
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1800	powershell.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe
1872	Setup.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Setup.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1872 Setup.exe
Token: SeDebugPrivilege 1800 powershell.exe
Token: SeDebugPrivilege 1204 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1872	Setup.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Setup.execmd.exe

description	pid	process	target process
PID 1872 wrote to memory of 1800	1872	Setup.exe	powershell.exe
PID 1872 wrote to memory of 1800	1872	Setup.exe	powershell.exe
PID 1872 wrote to memory of 1800	1872	Setup.exe	powershell.exe
PID 1872 wrote to memory of 1800	1872	Setup.exe	powershell.exe
PID 1872 wrote to memory of 948	1872	Setup.exe	cmd.exe
PID 1872 wrote to memory of 948	1872	Setup.exe	cmd.exe
PID 1872 wrote to memory of 948	1872	Setup.exe	cmd.exe
PID 1872 wrote to memory of 948	1872	Setup.exe	cmd.exe
PID 948 wrote to memory of 1204	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 1204	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 1204	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 1204	948	cmd.exe	powershell.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe
PID 1872 wrote to memory of 584	1872	Setup.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:584

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
38039659716826ff5137770cc7e653d3

SHA1
9d36c1e761ed28cf122bb19c026078ab54fcb9ca

SHA256
66595645bb42bfc48c53bc626796e013e0b7e4ee876daefc7090fa1a1d793d7f

SHA512
c10fcb32c35599e4d8c30b4afb0b90002cdf8fc619773fa74f2c7a8e3b30b38062e0eb87fc642a5e3d04b7dd1e97f9de23f366659b59563b8effff9548d89211

Download Submit
memory/584-75-0x00000000004088ED-mapping.dmp

Download
memory/584-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/584-73-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/584-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/584-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/584-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/948-64-0x0000000000000000-mapping.dmp

Download
memory/1204-65-0x0000000000000000-mapping.dmp

Download
memory/1204-77-0x000000006E170000-0x000000006E71B000-memory.dmp

Filesize
5.7MB

Download
memory/1204-78-0x000000006E170000-0x000000006E71B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-63-0x000000006E420000-0x000000006E9CB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-62-0x000000006E420000-0x000000006E9CB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-61-0x000000006E420000-0x000000006E9CB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-59-0x0000000000000000-mapping.dmp

Download
memory/1872-54-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1872-58-0x00000000026B0000-0x0000000002742000-memory.dmp

Filesize
584KB

Download
memory/1872-57-0x0000000000F50000-0x0000000000FEE000-memory.dmp

Filesize
632KB

Download
memory/1872-56-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/1872-55-0x0000000000CC0000-0x0000000000D7A000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing