Analysis
-
max time kernel
190s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2023 21:37
General
-
Target
Setup.exe
-
Size
1.6MB
-
MD5
ce6eaa52767b2df78b34519231966588
-
SHA1
ab32d09951189022a1a39e9204ec9ce2926b3fcf
-
SHA256
40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
-
SHA512
36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067
-
SSDEEP
24576:Kqahn0IQ3i57AmG8W7+IZ0nwwoNR2+uBL8hxCMcIYwTxKAyuxCQyD2uG8wT5ngZx:KasHPBQxC/wTW2owTdIfpSKc
Malware Config
Signatures
-
Processes:
Setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection Setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Setup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ipinfo.io 7 ipinfo.io 57 api.db-ip.com 58 api.db-ip.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1052 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 1052 taskmgr.exe Token: SeSystemProfilePrivilege 1052 taskmgr.exe Token: SeCreateGlobalPrivilege 1052 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1052-133-0x00000209C1E10000-0x00000209C1E11000-memory.dmpFilesize
4KB
-
memory/1052-134-0x00000209C1E10000-0x00000209C1E11000-memory.dmpFilesize
4KB
-
memory/1052-135-0x00000209C1E10000-0x00000209C1E11000-memory.dmpFilesize
4KB
-
memory/1052-140-0x00000209C1E10000-0x00000209C1E11000-memory.dmpFilesize
4KB
-
memory/1052-139-0x00000209C1E10000-0x00000209C1E11000-memory.dmpFilesize
4KB
-
memory/1052-141-0x00000209C1E10000-0x00000209C1E11000-memory.dmpFilesize
4KB
-
memory/1052-142-0x00000209C1E10000-0x00000209C1E11000-memory.dmpFilesize
4KB
-
memory/1052-143-0x00000209C1E10000-0x00000209C1E11000-memory.dmpFilesize
4KB
-
memory/1052-144-0x00000209C1E10000-0x00000209C1E11000-memory.dmpFilesize
4KB
-
memory/1052-145-0x00000209C1E10000-0x00000209C1E11000-memory.dmpFilesize
4KB