86f86a9eea4bd1cf413a6405f924727203fe3d89e73e8941f705526b854bac85

Resubmissions

28/05/2023, 14:30

230528-rvgcrsfg5t 7

28/05/2023, 14:25

230528-rrn87sfc79 7

Analysis

max time kernel
151s
max time network
34s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
28/05/2023, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PhotoCss6/setup.exe
Size

73.7MB
MD5

02dde17be4c7a3dce827d28df8117e3c
SHA1

2098d73511a1daac926645cad8a7b5fec6cf7f47
SHA256

e071f7aff74e187f07a9f1ee88eeac9be728447aad359a0cda32fe7b62228bec
SHA512

31c9f5582872e4634751ef1ab52b0f8e57ec0408c78aaa1aeb7d6883ae0991416da3c5eaea27ca64b5c6eb5fde930f85acf4fa9c68485b546e528081d22a6156
SSDEEP

1572864:wKT3GWkokgm1Pia0dgTqHXwTvQ6GH0FBEJNJ5TOLOx7fSTtjIvmExf:wKTWWMia0mDAUrEzvOG6T2e+f

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1304	setup.tmp

Loads dropped DLL 3 IoCs

pid	Process
1488	setup.exe
1304	setup.tmp
1304	setup.tmp

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.tmp
File opened (read-only)	\??\F:	setup.tmp
File opened (read-only)	\??\L:	setup.tmp
File opened (read-only)	\??\M:	setup.tmp
File opened (read-only)	\??\P:	setup.tmp
File opened (read-only)	\??\W:	setup.tmp
File opened (read-only)	\??\A:	setup.tmp
File opened (read-only)	\??\B:	setup.tmp
File opened (read-only)	\??\Z:	setup.tmp
File opened (read-only)	\??\K:	setup.tmp
File opened (read-only)	\??\O:	setup.tmp
File opened (read-only)	\??\Q:	setup.tmp
File opened (read-only)	\??\E:	setup.tmp
File opened (read-only)	\??\J:	setup.tmp
File opened (read-only)	\??\I:	setup.tmp
File opened (read-only)	\??\N:	setup.tmp
File opened (read-only)	\??\R:	setup.tmp
File opened (read-only)	\??\S:	setup.tmp
File opened (read-only)	\??\T:	setup.tmp
File opened (read-only)	\??\U:	setup.tmp
File opened (read-only)	\??\G:	setup.tmp
File opened (read-only)	\??\H:	setup.tmp
File opened (read-only)	\??\X:	setup.tmp
File opened (read-only)	\??\V:	setup.tmp
File opened (read-only)	\??\Y:	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1304	setup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1304	1488	setup.exe	28
PID 1488 wrote to memory of 1304	1488	setup.exe	28
PID 1488 wrote to memory of 1304	1488	setup.exe	28
PID 1488 wrote to memory of 1304	1488	setup.exe	28
PID 1488 wrote to memory of 1304	1488	setup.exe	28
PID 1488 wrote to memory of 1304	1488	setup.exe	28
PID 1488 wrote to memory of 1304	1488	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\PhotoCss6\setup.exe
"C:\Users\Admin\AppData\Local\Temp\PhotoCss6\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\is-TMQSV.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TMQSV.tmp\setup.tmp" /SL5="$70138,76731090,67072,C:\Users\Admin\AppData\Local\Temp\PhotoCss6\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-TMQSV.tmp\setup.tmp

Filesize
700KB

MD5
e96f5762d16377ae76b21f5d65d196b5

SHA1
dd401b51830d5fc5c13715945035e730e0fa3f2d

SHA256
00e2eef72f6374bd4bb8d983a63d7fa1e6b1b24b7d4d8b80126033544e15a1e8

SHA512
68fe9acfc1e07f362383afc658abf9d3beaafd5cde514eb398b90ec01562cce943f15254119efcb7d2c5f8a526d14ee6282559cbf0fdcd0ad9d34ac4ccfaabc8

Download Submit
\Users\Admin\AppData\Local\Temp\is-I3UA5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-I3UA5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-TMQSV.tmp\setup.tmp

Filesize
700KB

MD5
e96f5762d16377ae76b21f5d65d196b5

SHA1
dd401b51830d5fc5c13715945035e730e0fa3f2d

SHA256
00e2eef72f6374bd4bb8d983a63d7fa1e6b1b24b7d4d8b80126033544e15a1e8

SHA512
68fe9acfc1e07f362383afc658abf9d3beaafd5cde514eb398b90ec01562cce943f15254119efcb7d2c5f8a526d14ee6282559cbf0fdcd0ad9d34ac4ccfaabc8

Download Submit
memory/1304-74-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1304-89-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1304-95-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1304-73-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1304-93-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1304-78-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1304-80-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1304-82-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1304-84-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1304-87-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1304-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1304-91-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1488-54-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1488-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download