Overview

overview

8

Static

static

setup_pstm...ta.exe

windows7-x64

8

setup_pstm...ta.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    138s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2023 10:44

Sharing

Copy URL
Twitter E-mail

General

  • Target

    setup_pstmafm44x_20220402_Beta.exe

  • Size

    28MB

  • MD5

    153d9212e049fa053d2337de207f169f

  • SHA1

    8c8b0692d48c3bc8ede9f426993f283943c79537

  • SHA256

    2e5f727b95527d3320a50400c48bec4208dd10f39776e667fccfc943287f27ff

  • SHA512

    daa6a6e39824ded9cbc716ac2aa734c7be124fbfb1156ed03818b9d7891d7cbf7685c73f82cdf82f0812ae9f64d0f1da89523dc5060f589da04b06ef8230d6a0

  • SSDEEP

    786432:iliap7IQWxhhh+3vLccvBG7yadtUlkiYno6RgzQCTyr0satP8:iliaBEhhh+3vNvBGyeGk5o6i0Ayr0sY0

Score
8/10
discoveryevasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE ⋅ 4 IoCs
  • Registers COM server for autorun ⋅ 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL ⋅ 6 IoCs
  • Checks installed software on the system ⋅ 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry ⋅ 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class ⋅ 64 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 7 IoCs
  • Suspicious use of FindShellTrayWindow ⋅ 1 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 5 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_pstmafm44x_20220402_Beta.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_pstmafm44x_20220402_Beta.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\is-OSHT7.tmp\setup_pstmafm44x_20220402_Beta.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OSHT7.tmp\setup_pstmafm44x_20220402_Beta.tmp" /SL5="$70124,29710762,721408,C:\Users\Admin\AppData\Local\Temp\setup_pstmafm44x_20220402_Beta.exe"
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1232
      • C:\CreaTec\STMAFM20220402\Pstmafm.exe
        "C:\CreaTec\STMAFM20220402\Pstmafm.exe" /regserverperuser
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        PID:1544
      • C:\CreaTec\STMAFM20220402\Pstmafm.exe
        "C:\CreaTec\STMAFM20220402\Pstmafm.exe"
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:568
        • C:\CreaTec\STMAFM20220402\STMAFMDSPforWindows.exe
          "C:\CreaTec\STMAFM20220402\STMAFMDSPforWindows.exe" 51599
          Executes dropped EXE
          PID:1324

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                    Privilege Escalation

                      Replay Monitor

                      00:00 00:00

                      Downloads

                      • C:\CreaTec\STMAFM20220402\Pstmafm.exe
                        Filesize

                        72MB

                        MD5

                        dcb1f1435fb46fad630c8b9129147a5c

                        SHA1

                        fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

                        SHA256

                        7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

                        SHA512

                        4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

                        Download Submit
                      • C:\CreaTec\STMAFM20220402\Pstmafm.exe
                        Filesize

                        72MB

                        MD5

                        dcb1f1435fb46fad630c8b9129147a5c

                        SHA1

                        fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

                        SHA256

                        7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

                        SHA512

                        4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

                        Download Submit
                      • C:\CreaTec\STMAFM20220402\Pstmafm.exe
                        Filesize

                        72MB

                        MD5

                        dcb1f1435fb46fad630c8b9129147a5c

                        SHA1

                        fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

                        SHA256

                        7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

                        SHA512

                        4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

                        Download Submit
                      • C:\CreaTec\STMAFM20220402\STMAFMDSPforWindows.exe
                        Filesize

                        192KB

                        MD5

                        c61d77e8f0d3a97d4f7f7422d6b3a9e6

                        SHA1

                        e8600b6c645b4430dcaa801cd3c9c705930e8989

                        SHA256

                        1bdca23795e20381421a61a2faf4ea8c7f482c77c00d8f13fd54ad5959dba2d9

                        SHA512

                        2b709bcdcfeb9dfa7705b128217ccba194cdb40ad0b37c3cecbdc323542235d3347252ee6e599b4e85561a001bd7c23168663a4f42b72b6368c316e99fd05136

                        Download Submit
                      • C:\CreaTec\STMAFM20220402\stmafmdspforwindows.exe
                        Filesize

                        192KB

                        MD5

                        c61d77e8f0d3a97d4f7f7422d6b3a9e6

                        SHA1

                        e8600b6c645b4430dcaa801cd3c9c705930e8989

                        SHA256

                        1bdca23795e20381421a61a2faf4ea8c7f482c77c00d8f13fd54ad5959dba2d9

                        SHA512

                        2b709bcdcfeb9dfa7705b128217ccba194cdb40ad0b37c3cecbdc323542235d3347252ee6e599b4e85561a001bd7c23168663a4f42b72b6368c316e99fd05136

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\is-OSHT7.tmp\setup_pstmafm44x_20220402_Beta.tmp
                        Filesize

                        2MB

                        MD5

                        8e2d270339dcd0a68fbb2f02a65d45dd

                        SHA1

                        bfcdb1f71692020858f96960e432e94a4e70c4a4

                        SHA256

                        506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

                        SHA512

                        31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\is-OSHT7.tmp\setup_pstmafm44x_20220402_Beta.tmp
                        Filesize

                        2MB

                        MD5

                        8e2d270339dcd0a68fbb2f02a65d45dd

                        SHA1

                        bfcdb1f71692020858f96960e432e94a4e70c4a4

                        SHA256

                        506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

                        SHA512

                        31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

                        Download Submit
                      • \CreaTec\STMAFM20220402\Pstmafm.exe
                        Filesize

                        72MB

                        MD5

                        dcb1f1435fb46fad630c8b9129147a5c

                        SHA1

                        fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

                        SHA256

                        7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

                        SHA512

                        4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

                        Download Submit
                      • \CreaTec\STMAFM20220402\Pstmafm.exe
                        Filesize

                        72MB

                        MD5

                        dcb1f1435fb46fad630c8b9129147a5c

                        SHA1

                        fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

                        SHA256

                        7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

                        SHA512

                        4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

                        Download Submit
                      • \CreaTec\STMAFM20220402\Pstmafm.exe
                        Filesize

                        72MB

                        MD5

                        dcb1f1435fb46fad630c8b9129147a5c

                        SHA1

                        fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

                        SHA256

                        7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

                        SHA512

                        4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

                        Download Submit
                      • \CreaTec\STMAFM20220402\stmafmdspforwindows.exe
                        Filesize

                        192KB

                        MD5

                        c61d77e8f0d3a97d4f7f7422d6b3a9e6

                        SHA1

                        e8600b6c645b4430dcaa801cd3c9c705930e8989

                        SHA256

                        1bdca23795e20381421a61a2faf4ea8c7f482c77c00d8f13fd54ad5959dba2d9

                        SHA512

                        2b709bcdcfeb9dfa7705b128217ccba194cdb40ad0b37c3cecbdc323542235d3347252ee6e599b4e85561a001bd7c23168663a4f42b72b6368c316e99fd05136

                        Download Submit
                      • \CreaTec\STMAFM20220402\stmafmdspforwindows.exe
                        Filesize

                        192KB

                        MD5

                        c61d77e8f0d3a97d4f7f7422d6b3a9e6

                        SHA1

                        e8600b6c645b4430dcaa801cd3c9c705930e8989

                        SHA256

                        1bdca23795e20381421a61a2faf4ea8c7f482c77c00d8f13fd54ad5959dba2d9

                        SHA512

                        2b709bcdcfeb9dfa7705b128217ccba194cdb40ad0b37c3cecbdc323542235d3347252ee6e599b4e85561a001bd7c23168663a4f42b72b6368c316e99fd05136

                        Download Submit
                      • \Users\Admin\AppData\Local\Temp\is-OSHT7.tmp\setup_pstmafm44x_20220402_Beta.tmp
                        Filesize

                        2MB

                        MD5

                        8e2d270339dcd0a68fbb2f02a65d45dd

                        SHA1

                        bfcdb1f71692020858f96960e432e94a4e70c4a4

                        SHA256

                        506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

                        SHA512

                        31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

                        Download Submit
                      • memory/568-70-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1232-62-0x0000000074421000-0x0000000074423000-memory.dmp
                        Filesize

                        8KB

                        Download
                      • memory/1232-58-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1324-78-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1544-65-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1652-61-0x0000000000400000-0x00000000004BE000-memory.dmp
                        Filesize

                        760KB

                        Download
                      • memory/1652-73-0x0000000000400000-0x00000000004BE000-memory.dmp
                        Filesize

                        760KB

                        Download
                      • memory/1652-54-0x00000000757A1000-0x00000000757A3000-memory.dmp
                        Filesize

                        8KB

                        Download
                      • memory/1652-55-0x0000000000400000-0x00000000004BE000-memory.dmp
                        Filesize

                        760KB

                        Download