Overview

overview

8

Static

static

3

AutoSetup.exe

windows7-x64

8

AutoSetup.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2023 20:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AutoSetup.exe

  • Size

    536KB

  • MD5

    6d93a2baab5525576367509416853525

  • SHA1

    4c2984403e224302de125ad81a011aff551fcce8

  • SHA256

    3ce6c698fd08c3b2aef2e2698ffee9e596b3b33ed3b78095a4e0430f1a577c16

  • SHA512

    2cefe0310dce1aeb2fe61d459c0f284ffe1bc87d64aa402d8e82e3b8ab15cb2b5ed71ee79eff80d753e2b4e6d3a8cef9c9c97c041937067dd6105096765aded2

  • SSDEEP

    6144:QYEzHrx2LNt+AvAikMy9v76alBHLSaesSkiAvHXL9yxAYQhr5ohUBr6oxPXuXxCZ:amnvJkPvualtysrHXLCALoKfCcpHcg

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AutoSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\AutoSetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start https://www.sordum.org/files/downloads.php?st-defender-control 2>nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.sordum.org/files/downloads.php?st-defender-control
        3⤵
        • Modifies Internet Explorer Phishing Filter
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2924
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275465 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:284
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1620
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC CPU Get VirtualizationFirmwareEnabled
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC CPU Get VirtualizationFirmwareEnabled
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start https://aka.ms/vs/17/release/vc_redist.x64.exe 2>nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/vs/17/release/vc_redist.x64.exe
        3⤵
          PID:2624
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c w32tm /register 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Windows\system32\w32tm.exe
          w32tm /register
          3⤵
          • Sets DLL path for service in the registry
          PID:752
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop w32time 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\system32\net.exe
          net stop w32time
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop w32time
            4⤵
              PID:1432
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c w32tm /unregister 2>nul
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:276
          • C:\Windows\system32\w32tm.exe
            w32tm /unregister
            3⤵
              PID:1756
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c w32tm /register 2>nul
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1700
            • C:\Windows\system32\w32tm.exe
              w32tm /register
              3⤵
              • Sets DLL path for service in the registry
              PID:880
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c net start w32time 2>nul
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2164
            • C:\Windows\system32\net.exe
              net start w32time
              3⤵
                PID:2108
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 start w32time
                  4⤵
                    PID:1908
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c w32tm /resync 2>nul
                2⤵
                  PID:2984
                  • C:\Windows\system32\w32tm.exe
                    w32tm /resync
                    3⤵
                      PID:2008
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c wmic os get version | findstr /R "[0-9]\.[0-9]\.[0-9]"
                    2⤵
                      PID:632
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic os get version
                        3⤵
                          PID:700
                        • C:\Windows\system32\findstr.exe
                          findstr /R "[0-9]\.[0-9]\.[0-9]"
                          3⤵
                            PID:1920

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        3a778ad21bb94aa9cbfb7ae19b72af00

                        SHA1

                        c620a1da9950a30ccef96f441e0124d5d2d39bf1

                        SHA256

                        3055a2574e0042cb4a29f50ad808663756a7039d4581d0eb8ed4051796862487

                        SHA512

                        1df9586a0fde9db1902045a71c41514635e83817c5e62ecd3b0000fa68271e49a0ca9b57617d7bfa99dfe146c54de9299662cc6ad603fd67e2881719c9007d45

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        04d4323b1d198e50d0b99d76d3f35dfd

                        SHA1

                        5b159425508bbf7e669191c9f9ae78fa12615377

                        SHA256

                        214e0dcd42991ed216438bdd823273a7191ae7f5c958a5629f2e8658c305d00d

                        SHA512

                        461d1b34d200301c00ab5959df0bcb2a7ecf252fd1a5ecc6dbd51e29321081f466af54a13d1755e6c803b3aa57008fc6ca1be452060015635e2dec5235cef38f

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        430159f21643343d0bb09ebe9354fbbf

                        SHA1

                        58c82e1a59089f1083e60244a8ea961ee191f849

                        SHA256

                        27e676588e2e828efe4b1879204d14902ea9cb2268da81d260da816a4c5bcbd0

                        SHA512

                        da083575b3a0ebcd660fba2ea5a056b614526b3799aadf01d01dfae48d5da210aa75e455d02709a33b5120c7751e05b462b801a7ca5f15440087e2a9d49f48d9

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        a3c56371d1971edc7463d33208eebf1f

                        SHA1

                        c3776a24c3e16aa28124015c15455a8859006305

                        SHA256

                        03c21f2c623eeb5eebcae2bb5f3ae623a6a98990948326d48231a4f4f6334dce

                        SHA512

                        5d6226c1cd533e07773fe29ba651cb6c517c55929eb8a6ecb1354c76fc7e29c7734cc388f744eb520227d30a83b23d4019f36d9fb7fe225b2fa527a47d2d857a

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        0e2be833b924cbf50c6088abc3595703

                        SHA1

                        1e3a2af13b61442db270c2cb9e89236d4ab9a2e9

                        SHA256

                        0b32485d93ce2e86212d28a6f26c56c7e16aa2572897a62f3f5a76c90ddb929e

                        SHA512

                        86e98cc25dd5c872e0fbcddbaf8c015ccb24503c0b0901255996d92f656c09a71650737ba20d89d4ff72d7295578d5893d15d36ad002a12b136c6726d521a327

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        7db8a9068416c3398db14427c02c13cd

                        SHA1

                        3baa1e0e1c484d52fc15c14751afa94c10819da0

                        SHA256

                        1eb73ca42c4a3e59d78196af230cb47205df21d650ccabdffec3dbe600af71df

                        SHA512

                        f61d88121e9c1b5f3a31e603f096cfe916e451e2563ec13342d3d9f6c206a7bfa2c04283e11c91d30068536ff5318b598e1ba24e175c630ef5e9f35151b49d72

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        ee476fd65e68f29ef9a26f0db293598c

                        SHA1

                        7793e24f5c0c766c8cbf2b5431e57b6cacd1cb6e

                        SHA256

                        144518cac8676c56c50b11932bbef9b4c0ebda12441c66c197ea7f287392e779

                        SHA512

                        0378abf1e096d1c6e958c7fb3081da20140930b9a1150e9eab9bd068e7600e179ff172f0b5a540605d31714deb3ea2a13c03024e5c6acf1381296df7d61cee0b

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        4bc9acc37159acc6e848c4ac2ea9eab1

                        SHA1

                        88d7d950bdb0d6f0a0f5ed3549903a6961b59deb

                        SHA256

                        f1f15c8e34b206bbe32bc1e00165d0ca4a7ccf948eeb6ac4c981c967f78d513e

                        SHA512

                        e2b76ed99109c406ef84ab79cc2cf030c82d4e95429228980e2f56904c8b3e1db30b8ac399eaa72874f34eb218c80ec0a9e9ef12740425ac5e9d0530aaa27aba

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        bd6ba3ddfccdfa9e40f0bfcf19331d66

                        SHA1

                        517e20da36d4c7e6cf966fb5acbba4d590b5d0f3

                        SHA256

                        0bf83bae82431cb9861d5a6b050d8f2925dd4b097b165827c8fe1d8301ba6dc9

                        SHA512

                        0fd47de5b648abe2cbc5f2549c973f315af01ea3e725ef77468109e6c1a63eb64e45558adee07f0386f852dfc9e9657d21e17e126d3e935c7e759f8ad0a0f50c

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        e96b78fdf75670ed272988c3a6233679

                        SHA1

                        f9142cc11cce1d1f0ec298724ecde2050dde3473

                        SHA256

                        dba860890fc6743ff009f7bccb1d749db70c383a930ac8d6e7feda48154cb7a6

                        SHA512

                        396cfc4f827f14830d1f85aa7181a664071cb36be5804f83fe6db1928acc16b1a34f173f2f88bbb7b23387bf4a0e2b84d2c2a747bf4995a08dbf0e5e0fbac570

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        88400c0a32313b1e81211eb2f0ecfcb7

                        SHA1

                        851046bf77dee532f41512ee12a33849f03a6d8f

                        SHA256

                        c16b2ed3f36b062c053ec724acbbf67932af3fd5ca156ac70b7b2bae53cdb2be

                        SHA512

                        62c43c769bf95a1359cf4150d66c8e9eaf1949d69d07d0032a7a534a332dd1e1a6fecf73d718f88bd075f5065067f9d652ddbf286a1ed8f1a69246d005435fe6

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        5f7198f8cc477f586bcecba5154f0923

                        SHA1

                        fcb50f5450be8b81c1fa1c926d8bf43b3f531c6d

                        SHA256

                        c511b9c37d7618b3dbb6fed480d39a066a0394e55fdacd32d4a104eca34ab449

                        SHA512

                        e31a74c4e1fbc6cedcd7e16c9066c6f4c345edf32514121f8a56c814386b678e9499accd69f07f6f2c24cd0ac0ce797b2fe862910a6a06d9115f16ad2ae5a960

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        b7c522085f963facf97656e94cbdfceb

                        SHA1

                        a2828a649f69306184f0f08464555d86b3477517

                        SHA256

                        87f77488d2395822307b6d0849f865f87cf0f4133d9afbd836ee150955cb24eb

                        SHA512

                        70ab35f5b6b4184f6becf8b9c01b61b04f89a413d3263a45bca46bf6bfcd7f7860ac55aa7258b2152a8d9ee50dbc2e99938891cafc7b948ecd71d982442729d2

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        6e984c1ed997f5d049b35a594ddc7c51

                        SHA1

                        3b3b6cb9b7b8a3c0c7c161a6e360c874450adaa2

                        SHA256

                        7dc4c55e52ff44aaba73d11d37d22b09ef94e77665f6dac12e0acdf4c42ae5ed

                        SHA512

                        36c812860d4334120f2d61603458532d9e912e7efe3bdf290b9323bcfce0a49eadd9b57f6b0f2f1c22be178a1847174e725d87dd714a8f85392df412a7673a23

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        761afcdfb83a616229d0123d9f559aa2

                        SHA1

                        1b9596b1d4fa5ac2f9d74890fe6c93cfa7aa6b2c

                        SHA256

                        96cd4a6cd19c2ff5aeec85cd0f6767f0cc64d91bad256e8faef6b9ca9a54b47b

                        SHA512

                        00b5340906eee52e32b278f6821c74799920caf59b24ed9d97627bb78928f96f958fe051f5abdd8b6fea44ebbf43f266505701f8e371aeedd3aa32717a3621ef

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        8b673f33c59edbd5dc074970904ad841

                        SHA1

                        e29b80f23546bf351066e1f910240dde49976719

                        SHA256

                        5e9be7cf60c94090d97a5855e22b560b7d5a9f9306451cdcd1fdd16a28a202ba

                        SHA512

                        656d9dae66ba2be025ade8975f4695800eb9594b22bac624f2e6681209809dbfdd5753f648aefd78727da7165dca8d47026392e607a5b0cc923fa592f5dd47e6

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        344B

                        MD5

                        d5914ddba5a3942eecce536b696b6706

                        SHA1

                        234d745cfa323b36516cff605a53e94cc68bc464

                        SHA256

                        0b25eb72e942ed8be90019f93a1ff11da282d29bfcb529809cb1d4376a802cad

                        SHA512

                        4e12c3ec614cca7a62d293aae9e247c462e88bbbf6d8fbd3424a7dd0b1ce611ce492aff04f07e78fa6bf4f5c563d399801a0fb8132ceb7958ce15a06a2e5ec3d

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJMXAU3H\suggestions[1].en-US
                        Filesize

                        17KB

                        MD5

                        5a34cb996293fde2cb7a4ac89587393a

                        SHA1

                        3c96c993500690d1a77873cd62bc639b3a10653f

                        SHA256

                        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                        SHA512

                        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Cab90AB.tmp
                        Filesize

                        62KB

                        MD5

                        3ac860860707baaf32469fa7cc7c0192

                        SHA1

                        c33c2acdaba0e6fa41fd2f00f186804722477639

                        SHA256

                        d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

                        SHA512

                        d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Tar90BE.tmp
                        Filesize

                        164KB

                        MD5

                        4ff65ad929cd9a367680e0e5b1c08166

                        SHA1

                        c0af0d4396bd1f15c45f39d3b849ba444233b3a2

                        SHA256

                        c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

                        SHA512

                        f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H3EVRFQT.txt
                        Filesize

                        603B

                        MD5

                        58f653f4ff30117002abf356c9aff71d

                        SHA1

                        beb39bae7a6cf34ad9b64ad3f45b21e0528feb29

                        SHA256

                        81368c15148c3125f4e769c95a2bb7fdc20afa65e8aad1397f6c0b8c0d5eefd8

                        SHA512

                        83d321127d2d74e5b70a71c84a677e2e9b42bf2d7854be3fd26f4e3110f60472f8e1ca7a124cd8740af04b3bc9c3df97cce8b95a5d1d37d9542fc6351a9b80e4

                        Download Submit