Analysis
-
max time kernel
26s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 19:51
Static task
static1
Behavioral task
behavioral1
Sample
Setup64.exe
Resource
win7-20230220-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Setup64.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
Setup64.exe
-
Size
8.0MB
-
MD5
1cb0c517220253564af5702918929487
-
SHA1
3d95c566c8f773abd0ff18ff73f097d7eb61dc83
-
SHA256
938275f201c537e5dc28833645bec58885e3e69d9dc1cd38e611d2977959f405
-
SHA512
400be5903f60a839418c3f9a173604d0b32e0cb741597268288d2e222ada60de1016432a3c3db8e45bad67210c68339056477a91c8c7ee9468624b92b30d51b0
-
SSDEEP
196608:ffgwOpYPwsTyxbeAi7jmye1fOEfuP++iZpXUg/33JHey:IYPAxCp7jRyfOPiZpXl3JHey
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Setup64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\International\Geo\Nation Setup64.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1812 1948 WerFault.exe Setup64.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Setup64.exedescription pid process target process PID 1948 wrote to memory of 1812 1948 Setup64.exe WerFault.exe PID 1948 wrote to memory of 1812 1948 Setup64.exe WerFault.exe PID 1948 wrote to memory of 1812 1948 Setup64.exe WerFault.exe PID 1948 wrote to memory of 1812 1948 Setup64.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup64.exe"C:\Users\Admin\AppData\Local\Temp\Setup64.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 5322⤵
- Program crash