Overview

overview

8

Static

static

setup_pstm...ta.exe

windows7-x64

8

setup_pstm...ta.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    138s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2023 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_pstmafm44x_20220402_Beta.exe

  • Size

    29.0MB

  • MD5

    153d9212e049fa053d2337de207f169f

  • SHA1

    8c8b0692d48c3bc8ede9f426993f283943c79537

  • SHA256

    2e5f727b95527d3320a50400c48bec4208dd10f39776e667fccfc943287f27ff

  • SHA512

    daa6a6e39824ded9cbc716ac2aa734c7be124fbfb1156ed03818b9d7891d7cbf7685c73f82cdf82f0812ae9f64d0f1da89523dc5060f589da04b06ef8230d6a0

  • SSDEEP

    786432:iliap7IQWxhhh+3vLccvBG7yadtUlkiYno6RgzQCTyr0satP8:iliaBEhhh+3vNvBGyeGk5o6i0Ayr0sY0

Score
8/10
discoveryevasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_pstmafm44x_20220402_Beta.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_pstmafm44x_20220402_Beta.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\is-OSHT7.tmp\setup_pstmafm44x_20220402_Beta.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OSHT7.tmp\setup_pstmafm44x_20220402_Beta.tmp" /SL5="$70124,29710762,721408,C:\Users\Admin\AppData\Local\Temp\setup_pstmafm44x_20220402_Beta.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\CreaTec\STMAFM20220402\Pstmafm.exe
        "C:\CreaTec\STMAFM20220402\Pstmafm.exe" /regserverperuser
        3⤵
        • Executes dropped EXE
        • Registers COM server for autorun
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1544
      • C:\CreaTec\STMAFM20220402\Pstmafm.exe
        "C:\CreaTec\STMAFM20220402\Pstmafm.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\CreaTec\STMAFM20220402\STMAFMDSPforWindows.exe
          "C:\CreaTec\STMAFM20220402\STMAFMDSPforWindows.exe" 51599
          4⤵
          • Executes dropped EXE
          PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\CreaTec\STMAFM20220402\Pstmafm.exe
    Filesize

    72.3MB

    MD5

    dcb1f1435fb46fad630c8b9129147a5c

    SHA1

    fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

    SHA256

    7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

    SHA512

    4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

    Download Submit
  • C:\CreaTec\STMAFM20220402\Pstmafm.exe
    Filesize

    72.3MB

    MD5

    dcb1f1435fb46fad630c8b9129147a5c

    SHA1

    fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

    SHA256

    7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

    SHA512

    4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

    Download Submit
  • C:\CreaTec\STMAFM20220402\Pstmafm.exe
    Filesize

    72.3MB

    MD5

    dcb1f1435fb46fad630c8b9129147a5c

    SHA1

    fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

    SHA256

    7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

    SHA512

    4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

    Download Submit
  • C:\CreaTec\STMAFM20220402\STMAFMDSPforWindows.exe
    Filesize

    192KB

    MD5

    c61d77e8f0d3a97d4f7f7422d6b3a9e6

    SHA1

    e8600b6c645b4430dcaa801cd3c9c705930e8989

    SHA256

    1bdca23795e20381421a61a2faf4ea8c7f482c77c00d8f13fd54ad5959dba2d9

    SHA512

    2b709bcdcfeb9dfa7705b128217ccba194cdb40ad0b37c3cecbdc323542235d3347252ee6e599b4e85561a001bd7c23168663a4f42b72b6368c316e99fd05136

    Download Submit
  • C:\CreaTec\STMAFM20220402\stmafmdspforwindows.exe
    Filesize

    192KB

    MD5

    c61d77e8f0d3a97d4f7f7422d6b3a9e6

    SHA1

    e8600b6c645b4430dcaa801cd3c9c705930e8989

    SHA256

    1bdca23795e20381421a61a2faf4ea8c7f482c77c00d8f13fd54ad5959dba2d9

    SHA512

    2b709bcdcfeb9dfa7705b128217ccba194cdb40ad0b37c3cecbdc323542235d3347252ee6e599b4e85561a001bd7c23168663a4f42b72b6368c316e99fd05136

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-OSHT7.tmp\setup_pstmafm44x_20220402_Beta.tmp
    Filesize

    2.4MB

    MD5

    8e2d270339dcd0a68fbb2f02a65d45dd

    SHA1

    bfcdb1f71692020858f96960e432e94a4e70c4a4

    SHA256

    506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

    SHA512

    31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-OSHT7.tmp\setup_pstmafm44x_20220402_Beta.tmp
    Filesize

    2.4MB

    MD5

    8e2d270339dcd0a68fbb2f02a65d45dd

    SHA1

    bfcdb1f71692020858f96960e432e94a4e70c4a4

    SHA256

    506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

    SHA512

    31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

    Download Submit
  • \CreaTec\STMAFM20220402\Pstmafm.exe
    Filesize

    72.3MB

    MD5

    dcb1f1435fb46fad630c8b9129147a5c

    SHA1

    fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

    SHA256

    7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

    SHA512

    4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

    Download Submit
  • \CreaTec\STMAFM20220402\Pstmafm.exe
    Filesize

    72.3MB

    MD5

    dcb1f1435fb46fad630c8b9129147a5c

    SHA1

    fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

    SHA256

    7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

    SHA512

    4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

    Download Submit
  • \CreaTec\STMAFM20220402\Pstmafm.exe
    Filesize

    72.3MB

    MD5

    dcb1f1435fb46fad630c8b9129147a5c

    SHA1

    fed0fe9504b20b418d8b9e7e888e2fccd7cd1d3d

    SHA256

    7b38c085ce079d44bef29334efad403711e2f3c23bbf189e7d7024af9ec2127e

    SHA512

    4fe4f55d8f8cfd435fbdd5009f26918e8287a37f26b10ead24b0f8fba687e762814d72c3048ae43b47db22c13129225daf161378db990d2dfe8a4450ed4b410a

    Download Submit
  • \CreaTec\STMAFM20220402\stmafmdspforwindows.exe
    Filesize

    192KB

    MD5

    c61d77e8f0d3a97d4f7f7422d6b3a9e6

    SHA1

    e8600b6c645b4430dcaa801cd3c9c705930e8989

    SHA256

    1bdca23795e20381421a61a2faf4ea8c7f482c77c00d8f13fd54ad5959dba2d9

    SHA512

    2b709bcdcfeb9dfa7705b128217ccba194cdb40ad0b37c3cecbdc323542235d3347252ee6e599b4e85561a001bd7c23168663a4f42b72b6368c316e99fd05136

    Download Submit
  • \CreaTec\STMAFM20220402\stmafmdspforwindows.exe
    Filesize

    192KB

    MD5

    c61d77e8f0d3a97d4f7f7422d6b3a9e6

    SHA1

    e8600b6c645b4430dcaa801cd3c9c705930e8989

    SHA256

    1bdca23795e20381421a61a2faf4ea8c7f482c77c00d8f13fd54ad5959dba2d9

    SHA512

    2b709bcdcfeb9dfa7705b128217ccba194cdb40ad0b37c3cecbdc323542235d3347252ee6e599b4e85561a001bd7c23168663a4f42b72b6368c316e99fd05136

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-OSHT7.tmp\setup_pstmafm44x_20220402_Beta.tmp
    Filesize

    2.4MB

    MD5

    8e2d270339dcd0a68fbb2f02a65d45dd

    SHA1

    bfcdb1f71692020858f96960e432e94a4e70c4a4

    SHA256

    506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

    SHA512

    31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

    Download Submit
  • memory/568-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1232-62-0x0000000074421000-0x0000000074423000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1232-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1324-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1544-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1652-61-0x0000000000400000-0x00000000004BE000-memory.dmp
    Filesize

    760KB

    Download
  • memory/1652-73-0x0000000000400000-0x00000000004BE000-memory.dmp
    Filesize

    760KB

    Download
  • memory/1652-54-0x00000000757A1000-0x00000000757A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1652-55-0x0000000000400000-0x00000000004BE000-memory.dmp
    Filesize

    760KB

    Download