45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 10:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c_JC.exe
Size

912KB
MD5

c5b3f7c9084de3319e54e5557ce6099d
SHA1

3a87e31136d04125d27a49b2ae3fa7842db0f6d1
SHA256

45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c
SHA512

d88397193a9b63e580230801bbff417e2324811afcfdeabfcbe4599a8e7b9db9ec2817d320f2a71514138bd3142eab93edf35de17043d816fe66508759fa8117
SSDEEP

24576:mnqR6WsL/nUEbZjBCW4V9CNLPWJycq9BPFh14DsO9YAZUA:Z6DDUEHI9++63n14Dh9x

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2556	setupwiz.exe

Loads dropped DLL 5 IoCs

pid	Process
2412	45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c_JC.exe
2556	setupwiz.exe
2556	setupwiz.exe
2556	setupwiz.exe
2556	setupwiz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2556	setupwiz.exe
2556	setupwiz.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2556	2412	45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c_JC.exe	28
PID 2412 wrote to memory of 2556	2412	45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c_JC.exe	28
PID 2412 wrote to memory of 2556	2412	45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c_JC.exe	28
PID 2412 wrote to memory of 2556	2412	45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c_JC.exe	28
PID 2412 wrote to memory of 2556	2412	45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c_JC.exe	28
PID 2412 wrote to memory of 2556	2412	45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c_JC.exe	28
PID 2412 wrote to memory of 2556	2412	45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\45c44eca9f3d83577c76d413259b844549012defe8d31bd0f34924f0d991625c_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Roaming\SHTEMP\setupwiz.exe
  "C:\Users\Admin\AppData\Roaming\SHTEMP\setupwiz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fy_start.htm

Filesize
552B

MD5
efc5f663f5d78f7f730b4a78bc8b9c4b

SHA1
dea6579623eeb1e6b7ebdaaab05056d701c5ed48

SHA256
0be70d8d55f8381e9baa9486dc9b916e9eb442289e37732066b3e02a3f9b1944

SHA512
dca5a1897d6673028dc42b8f07a710f2d3a31d832e636f8d5e5280dae1836022a956e82ff49efc7b7bfbe257dca29819d3e0f707258b3b5e0c998349b4aef3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sub.bmp

Filesize
156KB

MD5
631dec6741bf1e44a5d9ea83b1fb2c1c

SHA1
a9237b5caf6ed2ad7c9ef20cf703e7804f967115

SHA256
bfd34f5a389f9f5658b24728aba0c29882c17c873a8724d39ff678c47dd1cb00

SHA512
45f8a0d680be041a1309f846ea5f2f8807a195681ec52202073bac115fc9354e0f464e07a5e233803313857fe78e331a3215c8efcd8d857179dae2e92289ac56

Download Submit
C:\Users\Admin\AppData\Roaming\SHTEMP\MFC42.DLL

Filesize
992KB

MD5
e36a58868f19b7b23374946356b3fe4f

SHA1
ee30af3baf6143474180ece33408ed72d6ff9f62

SHA256
2c4879b97eba1d2cf9398d675e94091fca2ffb08325d2451c8be661bf671020a

SHA512
2070650ffae2c10022a74f3f02afd3e85f3a4eab7075e1612acac854be1c6305a32d3899aa60abf01524f65beb97fff02042ee89b5eb9345551b42653a5a8206

Download Submit
C:\Users\Admin\AppData\Roaming\SHTEMP\ins.xml

Filesize
1KB

MD5
7ac2bb856f5b3cd3c641a9c1dd70ee0b

SHA1
a5fa35982e3905e08df7bbd44e26359626cdb800

SHA256
d32ee70786eee6b0cf2956543783406cbb2ae5c110aa4832a7f09ffa301b1840

SHA512
f1407838b113f1a2d93ced193bfe2eb7bedde188a7a831cb541781e70b552b8ad18d573dbce0e079ab67ad622e7324e5278449852142e767992b6fd12f0a0f93

Download Submit
C:\Users\Admin\AppData\Roaming\SHTEMP\setupwiz.exe

Filesize
284KB

MD5
f889a27483e1472b093ef670ba2a0f63

SHA1
1a98c81da6642d83e8e22b94842c132c4c69c165

SHA256
89800f09af71a6ddc3b377aedbaa33caf6b74d9d3870adf43829dd6648b0a01a

SHA512
a410600f2b666175e480665c5886e5c107c7765520c4bc2bc9be791fae8d2df051ff42ae12f14e83d39c018d1289f281b614c437824341c880be382c6940357e

Download Submit
C:\Users\Admin\AppData\Roaming\SHTEMP\setupwiz.exe

Filesize
284KB

MD5
f889a27483e1472b093ef670ba2a0f63

SHA1
1a98c81da6642d83e8e22b94842c132c4c69c165

SHA256
89800f09af71a6ddc3b377aedbaa33caf6b74d9d3870adf43829dd6648b0a01a

SHA512
a410600f2b666175e480665c5886e5c107c7765520c4bc2bc9be791fae8d2df051ff42ae12f14e83d39c018d1289f281b614c437824341c880be382c6940357e

Download Submit
C:\Users\Admin\AppData\Roaming\SHTEMP\setupwiz.exe

Filesize
284KB

MD5
f889a27483e1472b093ef670ba2a0f63

SHA1
1a98c81da6642d83e8e22b94842c132c4c69c165

SHA256
89800f09af71a6ddc3b377aedbaa33caf6b74d9d3870adf43829dd6648b0a01a

SHA512
a410600f2b666175e480665c5886e5c107c7765520c4bc2bc9be791fae8d2df051ff42ae12f14e83d39c018d1289f281b614c437824341c880be382c6940357e

Download Submit
\Users\Admin\AppData\Roaming\SHTEMP\mfc42.dll

Filesize
992KB

MD5
e36a58868f19b7b23374946356b3fe4f

SHA1
ee30af3baf6143474180ece33408ed72d6ff9f62

SHA256
2c4879b97eba1d2cf9398d675e94091fca2ffb08325d2451c8be661bf671020a

SHA512
2070650ffae2c10022a74f3f02afd3e85f3a4eab7075e1612acac854be1c6305a32d3899aa60abf01524f65beb97fff02042ee89b5eb9345551b42653a5a8206

Download Submit
\Users\Admin\AppData\Roaming\SHTEMP\setupwiz.exe

Filesize
284KB

MD5
f889a27483e1472b093ef670ba2a0f63

SHA1
1a98c81da6642d83e8e22b94842c132c4c69c165

SHA256
89800f09af71a6ddc3b377aedbaa33caf6b74d9d3870adf43829dd6648b0a01a

SHA512
a410600f2b666175e480665c5886e5c107c7765520c4bc2bc9be791fae8d2df051ff42ae12f14e83d39c018d1289f281b614c437824341c880be382c6940357e

Download Submit
\Users\Admin\AppData\Roaming\SHTEMP\setupwiz.exe

Filesize
284KB

MD5
f889a27483e1472b093ef670ba2a0f63

SHA1
1a98c81da6642d83e8e22b94842c132c4c69c165

SHA256
89800f09af71a6ddc3b377aedbaa33caf6b74d9d3870adf43829dd6648b0a01a

SHA512
a410600f2b666175e480665c5886e5c107c7765520c4bc2bc9be791fae8d2df051ff42ae12f14e83d39c018d1289f281b614c437824341c880be382c6940357e

Download Submit
\Users\Admin\AppData\Roaming\SHTEMP\setupwiz.exe

Filesize
284KB

MD5
f889a27483e1472b093ef670ba2a0f63

SHA1
1a98c81da6642d83e8e22b94842c132c4c69c165

SHA256
89800f09af71a6ddc3b377aedbaa33caf6b74d9d3870adf43829dd6648b0a01a

SHA512
a410600f2b666175e480665c5886e5c107c7765520c4bc2bc9be791fae8d2df051ff42ae12f14e83d39c018d1289f281b614c437824341c880be382c6940357e

Download Submit
\Users\Admin\AppData\Roaming\SHTEMP\setupwiz.exe

Filesize
284KB

MD5
f889a27483e1472b093ef670ba2a0f63

SHA1
1a98c81da6642d83e8e22b94842c132c4c69c165

SHA256
89800f09af71a6ddc3b377aedbaa33caf6b74d9d3870adf43829dd6648b0a01a

SHA512
a410600f2b666175e480665c5886e5c107c7765520c4bc2bc9be791fae8d2df051ff42ae12f14e83d39c018d1289f281b614c437824341c880be382c6940357e

Download Submit