48b3cc0799138804952d7804a326a9356b4713be099d09a03d315d6fa8a6df28

General

Target

setup.exe
Size

445.4MB
MD5

3c8b5a353e44aaba17ce59a4924a2181
SHA1

4a37a03782dd4aa9b39cee134d92038e917120cf
SHA256

43f8acfcc15d7f48701769a324cb99b12c541e80185a7caa0b6be63fad025490
SHA512

1b2bb3467257c43f63787d88bd2dd5072bff3c888a12da53ce9812ed0de0af41492a846f30e9174fb9f231b98a213bc5ff02097a68cc1d65e78c040ce0cb5f8c
SSDEEP

98304:dkLr9c9WJPSHRzilwSzrgGzPgffmfmpS8J656RA:ur9c9eqH9ilweImfySF56RA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	setup.tmp

Executes dropped EXE 2 IoCs

pid	Process
2116	setup.tmp
3940	setup.tmp

Loads dropped DLL 2 IoCs

pid	Process
2116	setup.tmp
3940	setup.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3940 set thread context of 3232	3940	setup.tmp	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 2116	4660	setup.exe	86
PID 4660 wrote to memory of 2116	4660	setup.exe	86
PID 4660 wrote to memory of 2116	4660	setup.exe	86
PID 2116 wrote to memory of 2172	2116	setup.tmp	88
PID 2116 wrote to memory of 2172	2116	setup.tmp	88
PID 2116 wrote to memory of 2172	2116	setup.tmp	88
PID 2172 wrote to memory of 3940	2172	setup.exe	89
PID 2172 wrote to memory of 3940	2172	setup.exe	89
PID 2172 wrote to memory of 3940	2172	setup.exe	89
PID 3940 wrote to memory of 3232	3940	setup.tmp	90
PID 3940 wrote to memory of 3232	3940	setup.tmp	90
PID 3940 wrote to memory of 3232	3940	setup.tmp	90
PID 3940 wrote to memory of 3232	3940	setup.tmp	90

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Users\Admin\AppData\Local\Temp\is-BVQJP.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BVQJP.tmp\setup.tmp" /SL5="$900DE,4786959,938496,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\is-L6D7L.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-L6D7L.tmp\setup.tmp" /SL5="$A00DE,4786959,938496,C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9DU26.tmp\lcbkoaekwf.dll

Filesize
308KB

MD5
9afbe3895f23f99d160da31a9ae256b5

SHA1
c24598b4b152ce00c043c7ed1ecd380acab6a078

SHA256
34583f90cb62b7ce863b9c83d6d0f828b7b0692ba7edd441051fadb45d633aae

SHA512
6a09626405e61faa305f99f77a764e25a64fe0f27611d400448bceeaaad41b3495dc4b0b8d5ee0d8c6f234128843110b7484aafbabf1857a148cc0e4bb4a6a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BVQJP.tmp\setup.tmp

Filesize
3.1MB

MD5
6ed01e45e5bf1fb0f50408a973c69125

SHA1
bf65c72311a115f0a870bad044acd9c43a644461

SHA256
7b58eaa114f1c4088de6860642bdda0343b20afb0947bcb62639f009d8c9fe1f

SHA512
db9d33596e3df150f29c9bf745ccf73a1052aae43adfd263dd29d8864d356d7cdc66324465db07bd42a136ad782f7cf5f74e122d1e55178bf659a0262fbd336e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L6D7L.tmp\setup.tmp

Filesize
3.1MB

MD5
6ed01e45e5bf1fb0f50408a973c69125

SHA1
bf65c72311a115f0a870bad044acd9c43a644461

SHA256
7b58eaa114f1c4088de6860642bdda0343b20afb0947bcb62639f009d8c9fe1f

SHA512
db9d33596e3df150f29c9bf745ccf73a1052aae43adfd263dd29d8864d356d7cdc66324465db07bd42a136ad782f7cf5f74e122d1e55178bf659a0262fbd336e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O1SIO.tmp\lcbkoaekwf.dll

Filesize
308KB

MD5
9afbe3895f23f99d160da31a9ae256b5

SHA1
c24598b4b152ce00c043c7ed1ecd380acab6a078

SHA256
34583f90cb62b7ce863b9c83d6d0f828b7b0692ba7edd441051fadb45d633aae

SHA512
6a09626405e61faa305f99f77a764e25a64fe0f27611d400448bceeaaad41b3495dc4b0b8d5ee0d8c6f234128843110b7484aafbabf1857a148cc0e4bb4a6a48

Download Submit
memory/2116-138-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2116-147-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/2172-145-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2172-163-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3232-158-0x0000000000C50000-0x0000000000C78000-memory.dmp

Filesize
160KB

Download
memory/3232-161-0x0000000000C50000-0x0000000000C78000-memory.dmp

Filesize
160KB

Download
memory/3232-160-0x0000000000C50000-0x0000000000C78000-memory.dmp

Filesize
160KB

Download
memory/3232-164-0x0000000000C50000-0x0000000000C78000-memory.dmp

Filesize
160KB

Download
memory/3232-166-0x0000000000C50000-0x0000000000C78000-memory.dmp

Filesize
160KB

Download
memory/3940-159-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/4660-149-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4660-133-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing