b4e7960ef248b8a35f8cd33962dae252e33d177822c9e8dbf40fdfbfe9e2e850

Analysis

max time kernel
153s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07/05/2023, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SD1.4.0.672_Setup.exe
Size

3.3MB
MD5

d948dd85b8edb5391a5e04e274533558
SHA1

775aa63441a1ad26699b33bb8646006376fbdf35
SHA256

b4e7960ef248b8a35f8cd33962dae252e33d177822c9e8dbf40fdfbfe9e2e850
SHA512

34720a095d22733c57c47f5b37ff7171c9cf1c1654d9c759640baa84cca3f77cae032706d323363c25421c959decb49cd441dcada30195bc0cacce1281f06d61
SSDEEP

98304:/y/h1891BxZdruNEIw16ErKCRWrcqr88LhhzbWK:/S1Y33rBr9RWr9r88Lhhz6K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
336	Setup.exe
1628	Setup_x64.exe
600	Setup.exe
1204	Process not Found

Loads dropped DLL 8 IoCs

pid	Process
1344	SD1.4.0.672_Setup.exe
336	Setup.exe
336	Setup.exe
336	Setup.exe
1628	Setup_x64.exe
1628	Setup_x64.exe
1628	Setup_x64.exe
1204	Process not Found

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Setup.exe
File opened (read-only)	\??\R:	Setup.exe
File opened (read-only)	\??\U:	Setup.exe
File opened (read-only)	\??\X:	Setup.exe
File opened (read-only)	\??\Z:	Setup.exe
File opened (read-only)	\??\W:	Setup.exe
File opened (read-only)	\??\F:	Setup.exe
File opened (read-only)	\??\H:	Setup.exe
File opened (read-only)	\??\K:	Setup.exe
File opened (read-only)	\??\M:	Setup.exe
File opened (read-only)	\??\P:	Setup.exe
File opened (read-only)	\??\T:	Setup.exe
File opened (read-only)	\??\V:	Setup.exe
File opened (read-only)	\??\E:	Setup.exe
File opened (read-only)	\??\I:	Setup.exe
File opened (read-only)	\??\J:	Setup.exe
File opened (read-only)	\??\L:	Setup.exe
File opened (read-only)	\??\Q:	Setup.exe
File opened (read-only)	\??\S:	Setup.exe
File opened (read-only)	\??\Y:	Setup.exe
File opened (read-only)	\??\G:	Setup.exe
File opened (read-only)	\??\O:	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
600	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
600	Setup.exe
600	Setup.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 336	1344	SD1.4.0.672_Setup.exe	28
PID 1344 wrote to memory of 336	1344	SD1.4.0.672_Setup.exe	28
PID 1344 wrote to memory of 336	1344	SD1.4.0.672_Setup.exe	28
PID 1344 wrote to memory of 336	1344	SD1.4.0.672_Setup.exe	28
PID 1344 wrote to memory of 336	1344	SD1.4.0.672_Setup.exe	28
PID 1344 wrote to memory of 336	1344	SD1.4.0.672_Setup.exe	28
PID 1344 wrote to memory of 336	1344	SD1.4.0.672_Setup.exe	28
PID 336 wrote to memory of 1628	336	Setup.exe	29
PID 336 wrote to memory of 1628	336	Setup.exe	29
PID 336 wrote to memory of 1628	336	Setup.exe	29
PID 336 wrote to memory of 1628	336	Setup.exe	29
PID 336 wrote to memory of 1628	336	Setup.exe	29
PID 336 wrote to memory of 1628	336	Setup.exe	29
PID 336 wrote to memory of 1628	336	Setup.exe	29
PID 1628 wrote to memory of 600	1628	Setup_x64.exe	30
PID 1628 wrote to memory of 600	1628	Setup_x64.exe	30
PID 1628 wrote to memory of 600	1628	Setup_x64.exe	30
PID 1628 wrote to memory of 600	1628	Setup_x64.exe	30

C:\Users\Admin\AppData\Local\Temp\SD1.4.0.672_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\SD1.4.0.672_Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup_x64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\7zC2F1565C\Setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zC2F1565C\Setup.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zC2F1565C\Setup.exe

Filesize
906KB

MD5
4cd89312146f921fd08d5f285852023b

SHA1
56eb14ebe14f367a69084a79943e4f74eb8d5b2d

SHA256
d632e9d4875b1bdeeddcb1b87cc459b50089db100306ab9303b763d1ec4a9593

SHA512
1a6af621aa617d690e73f986c3801ce6f70ad3509c8763f5c80c502d57c46bf37c7990c997846558ce590ce41ba54e7f5a95faf51ed4d32200e4ab90fe4ad25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup.exe

Filesize
114KB

MD5
b453cd30e5a8883f2f88856fef990abd

SHA1
6a0fc0a9d41837c04fe9b3f1f4094677d86f6c0a

SHA256
e0682dae2bbc0a3a77238cab0a17a4b1831238a4ed5ea9504617aa8b0cc0b2cb

SHA512
12938a16537622a8cf1ebb1e8c45e099e408fe4e6e3fe369137d794237e4930f6c65a551f25175f5b6502a8868316686212dc3303be950518c53e0bd260113ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup.exe

Filesize
114KB

MD5
b453cd30e5a8883f2f88856fef990abd

SHA1
6a0fc0a9d41837c04fe9b3f1f4094677d86f6c0a

SHA256
e0682dae2bbc0a3a77238cab0a17a4b1831238a4ed5ea9504617aa8b0cc0b2cb

SHA512
12938a16537622a8cf1ebb1e8c45e099e408fe4e6e3fe369137d794237e4930f6c65a551f25175f5b6502a8868316686212dc3303be950518c53e0bd260113ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup_x64.exe

Filesize
2.1MB

MD5
ccf8d4eec6390047289b31806535829b

SHA1
b4f90305821e9adc4b72c0b25591ec8b42437565

SHA256
de18d093fdd684c4a0fea28d74c3902f0f70297ce4b23a671fc8a3f5d2319703

SHA512
3776e59f351e6a7c11d6bce450c5d40770cefe977a09af30367be9aebae30211058644026b509dd9c075bda1fc98469d07d5b949981df7e86e615296667a0ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup_x64.exe

Filesize
2.1MB

MD5
ccf8d4eec6390047289b31806535829b

SHA1
b4f90305821e9adc4b72c0b25591ec8b42437565

SHA256
de18d093fdd684c4a0fea28d74c3902f0f70297ce4b23a671fc8a3f5d2319703

SHA512
3776e59f351e6a7c11d6bce450c5d40770cefe977a09af30367be9aebae30211058644026b509dd9c075bda1fc98469d07d5b949981df7e86e615296667a0ac8

Download Submit
\Users\Admin\AppData\Local\Temp\7zC2F1565C\Setup.exe

Filesize
906KB

MD5
4cd89312146f921fd08d5f285852023b

SHA1
56eb14ebe14f367a69084a79943e4f74eb8d5b2d

SHA256
d632e9d4875b1bdeeddcb1b87cc459b50089db100306ab9303b763d1ec4a9593

SHA512
1a6af621aa617d690e73f986c3801ce6f70ad3509c8763f5c80c502d57c46bf37c7990c997846558ce590ce41ba54e7f5a95faf51ed4d32200e4ab90fe4ad25b

Download Submit
\Users\Admin\AppData\Local\Temp\7zC2F1565C\Setup.exe

Filesize
906KB

MD5
4cd89312146f921fd08d5f285852023b

SHA1
56eb14ebe14f367a69084a79943e4f74eb8d5b2d

SHA256
d632e9d4875b1bdeeddcb1b87cc459b50089db100306ab9303b763d1ec4a9593

SHA512
1a6af621aa617d690e73f986c3801ce6f70ad3509c8763f5c80c502d57c46bf37c7990c997846558ce590ce41ba54e7f5a95faf51ed4d32200e4ab90fe4ad25b

Download Submit
\Users\Admin\AppData\Local\Temp\7zC2F1565C\Setup.exe

Filesize
906KB

MD5
4cd89312146f921fd08d5f285852023b

SHA1
56eb14ebe14f367a69084a79943e4f74eb8d5b2d

SHA256
d632e9d4875b1bdeeddcb1b87cc459b50089db100306ab9303b763d1ec4a9593

SHA512
1a6af621aa617d690e73f986c3801ce6f70ad3509c8763f5c80c502d57c46bf37c7990c997846558ce590ce41ba54e7f5a95faf51ed4d32200e4ab90fe4ad25b

Download Submit
\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup.exe

Filesize
114KB

MD5
b453cd30e5a8883f2f88856fef990abd

SHA1
6a0fc0a9d41837c04fe9b3f1f4094677d86f6c0a

SHA256
e0682dae2bbc0a3a77238cab0a17a4b1831238a4ed5ea9504617aa8b0cc0b2cb

SHA512
12938a16537622a8cf1ebb1e8c45e099e408fe4e6e3fe369137d794237e4930f6c65a551f25175f5b6502a8868316686212dc3303be950518c53e0bd260113ed

Download Submit
\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup.exe

Filesize
114KB

MD5
b453cd30e5a8883f2f88856fef990abd

SHA1
6a0fc0a9d41837c04fe9b3f1f4094677d86f6c0a

SHA256
e0682dae2bbc0a3a77238cab0a17a4b1831238a4ed5ea9504617aa8b0cc0b2cb

SHA512
12938a16537622a8cf1ebb1e8c45e099e408fe4e6e3fe369137d794237e4930f6c65a551f25175f5b6502a8868316686212dc3303be950518c53e0bd260113ed

Download Submit
\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup.exe

Filesize
114KB

MD5
b453cd30e5a8883f2f88856fef990abd

SHA1
6a0fc0a9d41837c04fe9b3f1f4094677d86f6c0a

SHA256
e0682dae2bbc0a3a77238cab0a17a4b1831238a4ed5ea9504617aa8b0cc0b2cb

SHA512
12938a16537622a8cf1ebb1e8c45e099e408fe4e6e3fe369137d794237e4930f6c65a551f25175f5b6502a8868316686212dc3303be950518c53e0bd260113ed

Download Submit
\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup_x64.exe

Filesize
2.1MB

MD5
ccf8d4eec6390047289b31806535829b

SHA1
b4f90305821e9adc4b72c0b25591ec8b42437565

SHA256
de18d093fdd684c4a0fea28d74c3902f0f70297ce4b23a671fc8a3f5d2319703

SHA512
3776e59f351e6a7c11d6bce450c5d40770cefe977a09af30367be9aebae30211058644026b509dd9c075bda1fc98469d07d5b949981df7e86e615296667a0ac8

Download Submit
\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup_x64.exe

Filesize
2.1MB

MD5
ccf8d4eec6390047289b31806535829b

SHA1
b4f90305821e9adc4b72c0b25591ec8b42437565

SHA256
de18d093fdd684c4a0fea28d74c3902f0f70297ce4b23a671fc8a3f5d2319703

SHA512
3776e59f351e6a7c11d6bce450c5d40770cefe977a09af30367be9aebae30211058644026b509dd9c075bda1fc98469d07d5b949981df7e86e615296667a0ac8

Download Submit
\Users\Admin\AppData\Local\Temp\7zC38E2540\Setup_x64.exe

Filesize
2.1MB

MD5
ccf8d4eec6390047289b31806535829b

SHA1
b4f90305821e9adc4b72c0b25591ec8b42437565

SHA256
de18d093fdd684c4a0fea28d74c3902f0f70297ce4b23a671fc8a3f5d2319703

SHA512
3776e59f351e6a7c11d6bce450c5d40770cefe977a09af30367be9aebae30211058644026b509dd9c075bda1fc98469d07d5b949981df7e86e615296667a0ac8

Download Submit
memory/600-107-0x0000000140000000-0x00000001400E9000-memory.dmp

Filesize
932KB

Download
memory/600-108-0x0000000140000000-0x00000001400E9000-memory.dmp

Filesize
932KB

Download
memory/1628-106-0x00000000005E0000-0x00000000006C9000-memory.dmp

Filesize
932KB

Download