881c7772666619ee5bbf9e4e97158b832ab10db9838d70dd3b4a8954aaf9c3e8

Analysis

max time kernel
148s
max time network
135s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MacroRecorderSetup.exe
Size

18.1MB
MD5

de5e05ee93d77686863e45c70d8f7143
SHA1

e86714331c8e2f3fc17f0e2ba98a8ba430bd3c54
SHA256

881c7772666619ee5bbf9e4e97158b832ab10db9838d70dd3b4a8954aaf9c3e8
SHA512

91a2ae260fe82e1c399ef4de8cbae640509393004a89c3b4c00a74709009b81d4c97909e9de2c2bfaaaa03eb17dcd1dfe5759b6a66a2de6e10548afd59a1ac8d
SSDEEP

393216:YQ5jwJs2I1f+joBVMwxTZrGQdocntAU2S6CNx3jh4/oDf:EJs2QeWVM8ToKoctSS6CjdP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2804	MacroRecorderSetup.tmp

Loads dropped DLL 2 IoCs

pid	Process
2236	MacroRecorderSetup.exe
2804	MacroRecorderSetup.tmp

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\KasperskyLab	MacroRecorderSetup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	MacroRecorderSetup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2804	2236	MacroRecorderSetup.exe	28
PID 2236 wrote to memory of 2804	2236	MacroRecorderSetup.exe	28
PID 2236 wrote to memory of 2804	2236	MacroRecorderSetup.exe	28
PID 2236 wrote to memory of 2804	2236	MacroRecorderSetup.exe	28
PID 2236 wrote to memory of 2804	2236	MacroRecorderSetup.exe	28
PID 2236 wrote to memory of 2804	2236	MacroRecorderSetup.exe	28
PID 2236 wrote to memory of 2804	2236	MacroRecorderSetup.exe	28

C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\is-1DDU1.tmp\MacroRecorderSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1DDU1.tmp\MacroRecorderSetup.tmp" /SL5="$7011E,18101744,845312,C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1DDU1.tmp\MacroRecorderSetup.tmp

Filesize
3.0MB

MD5
e1f9a2fd3d98a0c8292e1944d16489d1

SHA1
9ee15a009b44e5c6feee944a49384e4573b73b76

SHA256
cff18e9286cfc125c3030889cce95748aa692df206297f298ec608bcfc7b8132

SHA512
68931b5022189184d438d07c8d7adc32d8dfb3b23f435c491615c87e4deb1f947b926aaa16b58305541fa953e21226b0e2e8dac9ae994e5db4303eeb8300db54

Download Submit
\Users\Admin\AppData\Local\Temp\is-1DDU1.tmp\MacroRecorderSetup.tmp

Filesize
3.0MB

MD5
e1f9a2fd3d98a0c8292e1944d16489d1

SHA1
9ee15a009b44e5c6feee944a49384e4573b73b76

SHA256
cff18e9286cfc125c3030889cce95748aa692df206297f298ec608bcfc7b8132

SHA512
68931b5022189184d438d07c8d7adc32d8dfb3b23f435c491615c87e4deb1f947b926aaa16b58305541fa953e21226b0e2e8dac9ae994e5db4303eeb8300db54

Download Submit
\Users\Admin\AppData\Local\Temp\is-N5EBP.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
memory/2236-1-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2236-13-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2804-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2804-14-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/2804-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download