c6169e024f84934dc059f85d28bb947e5e6694ae21406b6feef178a8a6800902

General

Target

Setup x32.exe
Size

5.4MB
MD5

8ce3dd6ec449dc5a5a86696b78435217
SHA1

c82622c8d7a28bda5a9d5300b3051d5180556681
SHA256

b710fae61d729f59c56bd4f91717e8b7df9bdf318b79195e125e9fc5bc990844
SHA512

898792858c05001218d35fd4691975e0005c33744664c9f9e0bc93c8f886ee9c67dbc062fc5e22217f6079ea7a6948c2fe896d8f66dcc86a85be4e01650517ed
SSDEEP

98304:3AmhadoU8zQjqdb1osZ+iiPmyTeEUazpAkBxreHzWynR/MkXTwY2h1:QHcYqdl+iiPVTeEUazpAkBFehnRzW1

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Setup x32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Setup x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup x32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Setup x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Setup x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Setup x32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	powershell.exe
2500	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2112	Setup x32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2500	2112	Setup x32.exe	79
PID 2112 wrote to memory of 2500	2112	Setup x32.exe	79
PID 2112 wrote to memory of 2500	2112	Setup x32.exe	79

C:\Users\Admin\AppData\Local\Temp\Setup x32.exe
"C:\Users\Admin\AppData\Local\Temp\Setup x32.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch

Filesize
26B

MD5
bd3457e50947d4280734e74b51b5b68d

SHA1
424635c6b5622a6c01a59d290a1c9ab8e593effc

SHA256
23d647979bc5dc186de5ba3e00a222a912ab8e4782eb6407efa70e29e95979f5

SHA512
e83e3615a5e94af288eb1c9b92f55e271765cc43531ec94574371debf63c0c4a58327b6fd8a4775bfba8a3234220cb0396b6d33164309a09a1d826c0689143fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
memory/2500-140-0x000000006E580000-0x000000006E5CC000-memory.dmp

Filesize
304KB

Download
memory/2500-141-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/2500-136-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/2500-137-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/2500-138-0x0000000005D30000-0x0000000005D4E000-memory.dmp

Filesize
120KB

Download
memory/2500-139-0x0000000006D10000-0x0000000006D42000-memory.dmp

Filesize
200KB

Download
memory/2500-135-0x0000000004D00000-0x0000000004D22000-memory.dmp

Filesize
136KB

Download
memory/2500-142-0x0000000007720000-0x0000000007D9A000-memory.dmp

Filesize
6.5MB

Download
memory/2500-143-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/2500-144-0x0000000007250000-0x0000000007266000-memory.dmp

Filesize
88KB

Download
memory/2500-145-0x00000000062F0000-0x00000000062FA000-memory.dmp

Filesize
40KB

Download
memory/2500-146-0x00000000072E0000-0x0000000007306000-memory.dmp

Filesize
152KB

Download
memory/2500-134-0x0000000004EA0000-0x00000000054C8000-memory.dmp

Filesize
6.2MB

Download
memory/2500-133-0x00000000046F0000-0x0000000004726000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads