827314d024602adeac8b178e3052dabb6711ab32b21544216876f937dadd2fd7

Analysis

max time kernel
152s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2023, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CS16Setup.exe
Size

227.6MB
MD5

a176ca285438038ce9b5f7dd29f6d1ac
SHA1

1e931dc7e08592298cbc8d3dc1612b5967a9581c
SHA256

b97bec6c15a33ff4392e204ba19727631f98aa6aba62ba5584757aa684c55174
SHA512

a72d527f22a6827d802a932ecd71f79d67208f5a75720abf01afee7c7901c5223eeae65c69e87fb8ee1a709e53602f3c49e29b8afd2c548934475217d5fca2d8
SSDEEP

6291456:dJrWC2GFEgv/Egj+I+2H/WWVMGcgjpkyEsKCv6Bb:/SndWXx+2lVigdc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3712	is-CAT28.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 3712	776	CS16Setup.exe	88
PID 776 wrote to memory of 3712	776	CS16Setup.exe	88
PID 776 wrote to memory of 3712	776	CS16Setup.exe	88

C:\Users\Admin\AppData\Local\Temp\CS16Setup.exe
"C:\Users\Admin\AppData\Local\Temp\CS16Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Local\Temp\is-9QJLQ.tmp\is-CAT28.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9QJLQ.tmp\is-CAT28.tmp" /SL4 $F0062 "C:\Users\Admin\AppData\Local\Temp\CS16Setup.exe" 238137020 209408
  2⤵
  - Executes dropped EXE
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9QJLQ.tmp\is-CAT28.tmp

Filesize
796KB

MD5
8535bf33ec74a738eb87c20393ea3fb4

SHA1
76c89805be4c7623f2b15e9c701421d6902bfe61

SHA256
f80191c6d74ddf142d6cde8136bbfdf17d3b46bcde724e7b3755f60d0314e8f6

SHA512
199c6250e951d901ce1d6d47bbf46d0ea67734f5f2488e054f8c961dd0f61d5b3f2596fc2a4a813d46b93ad9354f5ea9a57d0eb3e9feaff3bbd0bbd69552a7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9QJLQ.tmp\is-CAT28.tmp

Filesize
796KB

MD5
8535bf33ec74a738eb87c20393ea3fb4

SHA1
76c89805be4c7623f2b15e9c701421d6902bfe61

SHA256
f80191c6d74ddf142d6cde8136bbfdf17d3b46bcde724e7b3755f60d0314e8f6

SHA512
199c6250e951d901ce1d6d47bbf46d0ea67734f5f2488e054f8c961dd0f61d5b3f2596fc2a4a813d46b93ad9354f5ea9a57d0eb3e9feaff3bbd0bbd69552a7e6

Download Submit
memory/776-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/776-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3712-7-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/3712-13-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3712-14-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download