Malware Analysis Report

2025-04-03 08:53

Sample ID 230126-s5a46sec27
Target SetupApp_v6.7.1.zip
SHA256 d49c678df0914e0855d29a855b37d39f0c745a507660ee10c1d1022140d3205c
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d49c678df0914e0855d29a855b37d39f0c745a507660ee10c1d1022140d3205c

Threat Level: Likely malicious

The file SetupApp_v6.7.1.zip was found to be: Likely malicious.

Malicious Activity Summary


Blocklisted process makes network request

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-26 15:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-26 15:42

Reported

2023-01-26 15:46

Platform

win7-20221111-en

Max time kernel

24s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe

"C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"

Network

N/A

Files

memory/1532-54-0x0000000000810000-0x0000000000858000-memory.dmp

memory/1532-55-0x0000000076941000-0x0000000076943000-memory.dmp

memory/2000-56-0x0000000000000000-mapping.dmp

memory/2000-58-0x00000000743B0000-0x000000007495B000-memory.dmp

memory/2000-59-0x00000000743B0000-0x000000007495B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-26 15:42

Reported

2023-01-26 15:46

Platform

win10v2004-20220812-en

Max time kernel

136s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\wermgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\wermgr.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe

"C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"

C:\Windows\SysWOW64\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2772" "3628" "2480" "3632" "0" "0" "1948" "0" "0" "0" "0" "0"

Network

Country Destination Domain Proto
N/A 45.93.201.114:80 45.93.201.114 tcp

Files

memory/1348-132-0x00000000008F0000-0x0000000000938000-memory.dmp

memory/1348-133-0x0000000005840000-0x0000000005DE4000-memory.dmp

memory/1348-134-0x0000000005330000-0x00000000053C2000-memory.dmp

memory/1348-135-0x0000000005300000-0x000000000530A000-memory.dmp

memory/2772-136-0x0000000000000000-mapping.dmp

memory/2772-137-0x0000000004B10000-0x0000000004B46000-memory.dmp

memory/2772-138-0x0000000005220000-0x0000000005848000-memory.dmp

memory/2772-139-0x0000000005100000-0x0000000005122000-memory.dmp

memory/2772-140-0x0000000005850000-0x00000000058B6000-memory.dmp

memory/2772-141-0x0000000005A70000-0x0000000005AD6000-memory.dmp

memory/2772-142-0x00000000060F0000-0x000000000610E000-memory.dmp

memory/2772-143-0x0000000006690000-0x00000000066D4000-memory.dmp

memory/2772-144-0x0000000007400000-0x0000000007476000-memory.dmp

memory/2772-145-0x0000000007B00000-0x000000000817A000-memory.dmp

memory/2772-146-0x0000000007480000-0x000000000749A000-memory.dmp

memory/116-147-0x0000000000000000-mapping.dmp