beb2f55cbadbdbb08ec0a923d9fa30a5f6336f344179e40ad20d9f610a8ffc58

General

Target

setup.exe
Size

3.3MB
MD5

aa558914109bc06afbdbd8b95978cc2c
SHA1

8c95d95f6c63a2ea14801e8cebc7e4cc57ee04b4
SHA256

beb2f55cbadbdbb08ec0a923d9fa30a5f6336f344179e40ad20d9f610a8ffc58
SHA512

1d6b84ad30d0b4515b9b91ef765f6dd2b31aff2af5ea3341d0d276136ec725010b1273708bf7f6f5f4bff24cb53e4e48699eddeeb92dbca0db18d0b330b530f4
SSDEEP

49152:bG2cUy+P2Tq2+OBy17sdGh9prS8fNxUep+/J2NyyGQfZyM/dayFMTMUWyKsf7e/:K2krq9OU1YdGDQ+dMoGyyvyFLXio

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	setup.tmp

Loads dropped DLL 5 IoCs

pid	Process
2028	setup.exe
2016	setup.tmp
2016	setup.tmp
2016	setup.tmp
2016	setup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2016	setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2016	setup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2016	2028	setup.exe	28
PID 2028 wrote to memory of 2016	2028	setup.exe	28
PID 2028 wrote to memory of 2016	2028	setup.exe	28
PID 2028 wrote to memory of 2016	2028	setup.exe	28
PID 2028 wrote to memory of 2016	2028	setup.exe	28
PID 2028 wrote to memory of 2016	2028	setup.exe	28
PID 2028 wrote to memory of 2016	2028	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\is-IJUSF.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IJUSF.tmp\setup.tmp" /SL5="$90122,2956131,137216,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-6R757.tmp\Dark.png

Filesize
117KB

MD5
376b3bb43c9463d4136e81e610bb5907

SHA1
322d37cd519f1f00ad374d418a2c4cede91148ca

SHA256
a765370605ad8529763aaafb9fc814b194d49dca780e11b7989f3286a9f3e586

SHA512
36440598470853cc095c6bd1ff0660f203b876894b629eb5e3bd0ec5380ab91faf655c01f8e2cbcaad2fb0810c0fb4527fc452bace94dcf243f30c04a5f14083

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6R757.tmp\Lockscreen.jpg

Filesize
37KB

MD5
3b68cd074c5545900a4274c8fc429566

SHA1
e09b98223ac6a7f3a0b7b7547d19fca8f762dba1

SHA256
6107a008ba34903651af650a05eb2abc07c86d5bb69e42e98b4cd2fad0018ec9

SHA512
65bb2f170c173d17613b46beb5124dc4b05c28d8467ee08ce1cbaf035992d304de6c25b7253c2bcc5780aeb587ec77c385e7c95fed276e2f94212eb777762da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IJUSF.tmp\setup.tmp

Filesize
1.4MB

MD5
f31f23df86367d6c692ef8606c477080

SHA1
724854623e347705d2dd374876a591c8440e862a

SHA256
3c58b63918fd352de74822979fff32bc412543ba77e65e94db35aac5644d820b

SHA512
b5b8f644f4ad71d44bc08813bdfdfa31bef2e7cd553ba0cd93edb174cb30f5ef00b2c7b45f99c49cd81df44540658725b7952261ba7985e82daf52889960a807

Download Submit
\Users\Admin\AppData\Local\Temp\is-6R757.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-6R757.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-6R757.tmp\botva2.dll

Filesize
37KB

MD5
619bf9ddcb5fe39ee9e5b0167e7f4f0d

SHA1
6da8c0d2407d5221172765b00452efa0f361902f

SHA256
609661a14733f6e9c2c2f2ff9c274f8a4cbedaff4dd32049aa5161f8d7083d6a

SHA512
a89fc731805e83f889f408fe3fea769d0e44faf1e1dd37d3569bbf57a6086b1ffc8783778e0be8236447c7661c44051b2d4b1d3a643f7ebc35f6ef0625c6897a

Download Submit
\Users\Admin\AppData\Local\Temp\is-6R757.tmp\wintb.dll

Filesize
75KB

MD5
a2eee508e6a51c6335650532e05ac550

SHA1
8703fb138bb8443f17c0c24da7edd69b1f2660b1

SHA256
75fb2984e1b06f4278fb7b3c77e9fec84e02a3b4bf82d35120f8cbe7bdbc76bf

SHA512
14e1abea3109c17f1fbe6ec455593bf91ba1b811ea302806a83a97a96bf582f1c46e8fe635e1d8739c5c007298eabd41311e07e50961ec2084cf97bde0595370

Download Submit
\Users\Admin\AppData\Local\Temp\is-IJUSF.tmp\setup.tmp

Filesize
1.4MB

MD5
f31f23df86367d6c692ef8606c477080

SHA1
724854623e347705d2dd374876a591c8440e862a

SHA256
3c58b63918fd352de74822979fff32bc412543ba77e65e94db35aac5644d820b

SHA512
b5b8f644f4ad71d44bc08813bdfdfa31bef2e7cd553ba0cd93edb174cb30f5ef00b2c7b45f99c49cd81df44540658725b7952261ba7985e82daf52889960a807

Download Submit
memory/2016-81-0x0000000000890000-0x000000000089F000-memory.dmp

Filesize
60KB

Download
memory/2016-83-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2016-123-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2016-124-0x0000000000890000-0x000000000089F000-memory.dmp

Filesize
60KB

Download
memory/2016-125-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2016-133-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2028-54-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2028-122-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing