Overview

overview

7

Static

static

Setup.exe

windows7-x64

5

Setup.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    270s
  • max time network
    291s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2022 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    837.3MB

  • MD5

    bf6b5f2d76fb058e3e6a38cbdbdd22a5

  • SHA1

    dfef116bd3994f05476040608d63fd8af19d09d7

  • SHA256

    b2f86cda9f22b4adc43c5bb08dfc2625619ab487c5f172b35ce190ac6d8782a9

  • SHA512

    c06b9dc975d707038efc2a88c45f629fa3944bc5b7ecf2d979e5f8db52e60b161f42e82de92c7ed80482acb90bac436eeda77407047efab943380de72d57e9f4

  • SSDEEP

    12288:PO5wC1Qx3/FeGLO9g4afrfYF3pVIyZZ8tfX9D6V01lpnOrsPgi:25wslGLacfYF8yEtftGY/Or+h

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3692
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4464
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3464
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      C:\Users\Admin\AppData\Local\Temp\Setup.exe
      2⤵
        PID:3796

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      4280e36a29fa31c01e4d8b2ba726a0d8

      SHA1

      c485c2c9ce0a99747b18d899b71dfa9a64dabe32

      SHA256

      e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

      SHA512

      494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      53KB

      MD5

      06ad34f9739c5159b4d92d702545bd49

      SHA1

      9152a0d4f153f3f40f7e606be75f81b582ee0c17

      SHA256

      474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

      SHA512

      c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      8a1df57b40b78ed68c822945a18a9595

      SHA1

      955480cf164ea714ddd961ed58d0b62a8b410cbd

      SHA256

      4449a37af253aee00c95aa449f6bfd4626fc719280cfda389092b3743ac2e538

      SHA512

      6b24a657c82eb15f7649d40c0226eb81b15bf31bc02de66c6648fb40fd92d75509a2db1242007832ee0f5215ab596141d708d394bf87569ce6d2ce24fe4d5687

      Download Submit
    • memory/3464-161-0x00000000070C0000-0x00000000070C8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3464-160-0x00000000070E0000-0x00000000070FA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3464-159-0x0000000005660000-0x000000000566E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3464-158-0x0000000007160000-0x00000000071F6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/3464-157-0x0000000006F20000-0x0000000006F2A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3464-156-0x0000000006120000-0x000000000613E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3464-155-0x000000006FFC0000-0x000000007000C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3464-154-0x0000000006160000-0x0000000006192000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3464-145-0x0000000000000000-mapping.dmp
      Download
    • memory/3692-135-0x0000000005A90000-0x0000000005AB2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3692-134-0x0000000005880000-0x0000000005912000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3692-132-0x0000000000AD0000-0x0000000000B8A000-memory.dmp
      Filesize

      744KB

      Download
    • memory/3692-133-0x0000000005D50000-0x00000000062F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3796-147-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3796-150-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3796-146-0x0000000000000000-mapping.dmp
      Download
    • memory/3796-152-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4464-143-0x0000000006CA0000-0x0000000006CBA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4464-142-0x0000000007FC0000-0x000000000863A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4464-141-0x00000000067B0000-0x00000000067CE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4464-140-0x0000000006060000-0x00000000060C6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4464-139-0x0000000005FF0000-0x0000000006056000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4464-138-0x0000000005920000-0x0000000005F48000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4464-137-0x00000000051F0000-0x0000000005226000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4464-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4936-144-0x0000000000000000-mapping.dmp
      Download