fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.exe
Size

5.3MB
MD5

c9b3635659d85e29b788a301f05ddb98
SHA1

fcdfdef67e0b01392201461c23838dc2de54c1e4
SHA256

fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79
SHA512

0e333b893d080592b5e0fa4296df1a239503845b9b95abe9d4f8c30979ee27d12aff7a91f9f30f8418842d7cecdc5177e11670e983c69b777f197b496e8337aa
SSDEEP

98304:tiTy77sA5pYQ1mwurOqWgNlXiAWWsB+6UsZ34LIhE6Lm2Ueu/q7xiTVY:tBXsA5/kTrxWgNlSXWw+6UbMqCm2BuSL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1240	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp
2892	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
1240	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp
1240	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1240	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp
1240	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1240	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2892	setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1240	1444	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.exe	84
PID 1444 wrote to memory of 1240	1444	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.exe	84
PID 1444 wrote to memory of 1240	1444	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.exe	84
PID 1240 wrote to memory of 2892	1240	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp	85
PID 1240 wrote to memory of 2892	1240	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp	85
PID 1240 wrote to memory of 2892	1240	fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp	85

C:\Users\Admin\AppData\Local\Temp\fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.exe
"C:\Users\Admin\AppData\Local\Temp\fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\is-SP2SV.tmp\fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SP2SV.tmp\fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp" /SL5="$80058,4693544,770048,C:\Users\Admin\AppData\Local\Temp\fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\is-2H5OC.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-2H5OC.tmp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-2H5OC.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2H5OC.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2H5OC.tmp\setup.exe

Filesize
860KB

MD5
92e93b5716bd3e7e16b5c09fb8cb0b92

SHA1
ab202d461939b09e0c173ebe8615b4715ed5817e

SHA256
56c07873cebde3cf08ea51981c534ed26eda26c33ca5eb905bcd69744ac37e0b

SHA512
32f58e70a5f240cd990b3a7e2dcb1e0348cc33f9758d19ef0ebf9eeb6eadecb58459a88600eb762b0700d82f4c514503902c7fe6ee0937d73171dc647fee22ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2H5OC.tmp\setup.exe

Filesize
860KB

MD5
92e93b5716bd3e7e16b5c09fb8cb0b92

SHA1
ab202d461939b09e0c173ebe8615b4715ed5817e

SHA256
56c07873cebde3cf08ea51981c534ed26eda26c33ca5eb905bcd69744ac37e0b

SHA512
32f58e70a5f240cd990b3a7e2dcb1e0348cc33f9758d19ef0ebf9eeb6eadecb58459a88600eb762b0700d82f4c514503902c7fe6ee0937d73171dc647fee22ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SP2SV.tmp\fc7b617360b5fa5cfd9449e1aaa8bc85c6efe15872b3275ec11b75ca9f87ae79.tmp

Filesize
3.0MB

MD5
301be9f96a752e1e94d7641d204cbc56

SHA1
0032e851487884f9de70756592af4ab1131a0cd9

SHA256
3e9e3bdda71d2d52e3f11305236e63f7dab188b51dcdffd316183900759c98aa

SHA512
7f4595aed67953bcff1ab164b65914ac804a6a62fb481bbf610fc541d6ed7ac196b8c76ab9c311f738a584359abeae919332853b4be801d5c31bfeb2bc28fb2e

Download Submit
memory/1240-6-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1240-84-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1240-85-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1444-1-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1444-82-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download