Analysis Overview
SHA256
d49c678df0914e0855d29a855b37d39f0c745a507660ee10c1d1022140d3205c
Threat Level: Likely malicious
The file SetupApp_v6.7.1.zip was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-26 15:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-26 15:42
Reported
2023-01-26 15:46
Platform
win7-20221111-en
Max time kernel
24s
Max time network
31s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1532 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1532 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1532 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1532 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe
"C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
Network
Files
memory/1532-54-0x0000000000810000-0x0000000000858000-memory.dmp
memory/1532-55-0x0000000076941000-0x0000000076943000-memory.dmp
memory/2000-56-0x0000000000000000-mapping.dmp
memory/2000-58-0x00000000743B0000-0x000000007495B000-memory.dmp
memory/2000-59-0x00000000743B0000-0x000000007495B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-26 15:42
Reported
2023-01-26 15:46
Platform
win10v2004-20220812-en
Max time kernel
136s
Max time network
158s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\wermgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\wermgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\wermgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\wermgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\wermgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1348 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1348 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1348 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2772 wrote to memory of 116 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\wermgr.exe |
| PID 2772 wrote to memory of 116 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\wermgr.exe |
| PID 2772 wrote to memory of 116 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\wermgr.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe
"C:\Users\Admin\AppData\Local\Temp\SetupApp_v6.7.1\SetupApp_v6.7.1.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2772" "3628" "2480" "3632" "0" "0" "1948" "0" "0" "0" "0" "0"
Network
| Country | Destination | Domain | Proto |
| N/A | 45.93.201.114:80 | 45.93.201.114 | tcp |
Files
memory/1348-132-0x00000000008F0000-0x0000000000938000-memory.dmp
memory/1348-133-0x0000000005840000-0x0000000005DE4000-memory.dmp
memory/1348-134-0x0000000005330000-0x00000000053C2000-memory.dmp
memory/1348-135-0x0000000005300000-0x000000000530A000-memory.dmp
memory/2772-136-0x0000000000000000-mapping.dmp
memory/2772-137-0x0000000004B10000-0x0000000004B46000-memory.dmp
memory/2772-138-0x0000000005220000-0x0000000005848000-memory.dmp
memory/2772-139-0x0000000005100000-0x0000000005122000-memory.dmp
memory/2772-140-0x0000000005850000-0x00000000058B6000-memory.dmp
memory/2772-141-0x0000000005A70000-0x0000000005AD6000-memory.dmp
memory/2772-142-0x00000000060F0000-0x000000000610E000-memory.dmp
memory/2772-143-0x0000000006690000-0x00000000066D4000-memory.dmp
memory/2772-144-0x0000000007400000-0x0000000007476000-memory.dmp
memory/2772-145-0x0000000007B00000-0x000000000817A000-memory.dmp
memory/2772-146-0x0000000007480000-0x000000000749A000-memory.dmp
memory/116-147-0x0000000000000000-mapping.dmp