827314d024602adeac8b178e3052dabb6711ab32b21544216876f937dadd2fd7

Analysis

max time kernel
143s
max time network
135s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
23/09/2023, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CS16Setup.exe
Size

227.6MB
MD5

a176ca285438038ce9b5f7dd29f6d1ac
SHA1

1e931dc7e08592298cbc8d3dc1612b5967a9581c
SHA256

b97bec6c15a33ff4392e204ba19727631f98aa6aba62ba5584757aa684c55174
SHA512

a72d527f22a6827d802a932ecd71f79d67208f5a75720abf01afee7c7901c5223eeae65c69e87fb8ee1a709e53602f3c49e29b8afd2c548934475217d5fca2d8
SSDEEP

6291456:dJrWC2GFEgv/Egj+I+2H/WWVMGcgjpkyEsKCv6Bb:/SndWXx+2lVigdc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2072	is-4FRKL.tmp

Loads dropped DLL 3 IoCs

pid	Process
1212	CS16Setup.exe
2072	is-4FRKL.tmp
2072	is-4FRKL.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2072	is-4FRKL.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2072	1212	CS16Setup.exe	28
PID 1212 wrote to memory of 2072	1212	CS16Setup.exe	28
PID 1212 wrote to memory of 2072	1212	CS16Setup.exe	28
PID 1212 wrote to memory of 2072	1212	CS16Setup.exe	28
PID 1212 wrote to memory of 2072	1212	CS16Setup.exe	28
PID 1212 wrote to memory of 2072	1212	CS16Setup.exe	28
PID 1212 wrote to memory of 2072	1212	CS16Setup.exe	28

C:\Users\Admin\AppData\Local\Temp\CS16Setup.exe
"C:\Users\Admin\AppData\Local\Temp\CS16Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\is-S04A5.tmp\is-4FRKL.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S04A5.tmp\is-4FRKL.tmp" /SL4 $30158 "C:\Users\Admin\AppData\Local\Temp\CS16Setup.exe" 238137020 209408
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-S04A5.tmp\is-4FRKL.tmp

Filesize
796KB

MD5
8535bf33ec74a738eb87c20393ea3fb4

SHA1
76c89805be4c7623f2b15e9c701421d6902bfe61

SHA256
f80191c6d74ddf142d6cde8136bbfdf17d3b46bcde724e7b3755f60d0314e8f6

SHA512
199c6250e951d901ce1d6d47bbf46d0ea67734f5f2488e054f8c961dd0f61d5b3f2596fc2a4a813d46b93ad9354f5ea9a57d0eb3e9feaff3bbd0bbd69552a7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S04A5.tmp\is-4FRKL.tmp

Filesize
796KB

MD5
8535bf33ec74a738eb87c20393ea3fb4

SHA1
76c89805be4c7623f2b15e9c701421d6902bfe61

SHA256
f80191c6d74ddf142d6cde8136bbfdf17d3b46bcde724e7b3755f60d0314e8f6

SHA512
199c6250e951d901ce1d6d47bbf46d0ea67734f5f2488e054f8c961dd0f61d5b3f2596fc2a4a813d46b93ad9354f5ea9a57d0eb3e9feaff3bbd0bbd69552a7e6

Download Submit
\Users\Admin\AppData\Local\Temp\is-M18GM.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-M18GM.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-S04A5.tmp\is-4FRKL.tmp

Filesize
796KB

MD5
8535bf33ec74a738eb87c20393ea3fb4

SHA1
76c89805be4c7623f2b15e9c701421d6902bfe61

SHA256
f80191c6d74ddf142d6cde8136bbfdf17d3b46bcde724e7b3755f60d0314e8f6

SHA512
199c6250e951d901ce1d6d47bbf46d0ea67734f5f2488e054f8c961dd0f61d5b3f2596fc2a4a813d46b93ad9354f5ea9a57d0eb3e9feaff3bbd0bbd69552a7e6

Download Submit
memory/1212-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1212-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2072-16-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download