Analysis
-
max time kernel
158s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/04/2023, 20:07
Static task
static1
Behavioral task
behavioral1
Sample
Setup/Setup.exe
Resource
win7-20230220-en
7 signatures
150 seconds
General
-
Target
Setup/Setup.exe
-
Size
995.1MB
-
MD5
9f3c222f96cca9c2feb98eb5a4b4a712
-
SHA1
fe28ac4140274ad49adf83a3fa2cb51f4a9f679f
-
SHA256
017f3df858edf64d85d00f07a4b72c9979f15e01dfb00e1b90035d03d64fe58b
-
SHA512
2a4dc7c1bdebb7647ebe269ad5c994c95556d8873ad7c1e0ec5f3b31cb4563c2306fef99a72d5fa96002c7fd79c444c0d2e8574f61f484ee5158f999aad4b13c
-
SSDEEP
384:KOMqjv10ETgLTTUzVi4JtLgwrPjSOnjl7F+Y:90ETgwzVi43gwrO4x7U
Malware Config
Signatures
-
Downloads MZ/PE file
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4396 set thread context of 372 4396 Setup.exe 89 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4396 wrote to memory of 372 4396 Setup.exe 89 PID 4396 wrote to memory of 372 4396 Setup.exe 89 PID 4396 wrote to memory of 372 4396 Setup.exe 89 PID 4396 wrote to memory of 372 4396 Setup.exe 89 PID 4396 wrote to memory of 372 4396 Setup.exe 89 PID 4396 wrote to memory of 372 4396 Setup.exe 89 PID 4396 wrote to memory of 372 4396 Setup.exe 89 PID 4396 wrote to memory of 372 4396 Setup.exe 89 PID 4396 wrote to memory of 372 4396 Setup.exe 89 PID 4396 wrote to memory of 372 4396 Setup.exe 89 PID 4396 wrote to memory of 372 4396 Setup.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:372
-