fab6ed452dcc45b77067a5b5986f0031c9d3875c45ece338c7d7340d0de18500

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CSPSetup-5.0.12000.exe
Size

7.3MB
MD5

1069fa904005f8ec3951ec6fb49dd7b4
SHA1

f732072f186e5835b0a209f87b78550829967b2f
SHA256

6dcad381625da79108dfbe07f13b4f521e97f8056f1e1ab7dc29984086f8ae6d
SHA512

540cac7914e0a5f7f3740838aba1a4ce411b13ea04950dea416f3fdb7fa4460c8017811d88c3300cd8efb943ea8d049528b2ad942687e0c1d89348a4ad88362d
SSDEEP

196608:vqQwR5/IGYBoPDtqQLMks9YlmJZDmwkRAHjKoz5s4lAiADrgBQX06lX:vlwbQVoPDBLMLZDmtAHRHldlq

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	Setup.exe
File opened (read-only)	\??\N:	Setup.exe
File opened (read-only)	\??\U:	Setup.exe
File opened (read-only)	\??\X:	Setup.exe
File opened (read-only)	\??\J:	Setup.exe
File opened (read-only)	\??\K:	Setup.exe
File opened (read-only)	\??\G:	Setup.exe
File opened (read-only)	\??\I:	Setup.exe
File opened (read-only)	\??\R:	Setup.exe
File opened (read-only)	\??\T:	Setup.exe
File opened (read-only)	\??\W:	Setup.exe
File opened (read-only)	\??\Y:	Setup.exe
File opened (read-only)	\??\B:	Setup.exe
File opened (read-only)	\??\E:	Setup.exe
File opened (read-only)	\??\P:	Setup.exe
File opened (read-only)	\??\V:	Setup.exe
File opened (read-only)	\??\Z:	Setup.exe
File opened (read-only)	\??\A:	Setup.exe
File opened (read-only)	\??\O:	Setup.exe
File opened (read-only)	\??\Q:	Setup.exe
File opened (read-only)	\??\S:	Setup.exe
File opened (read-only)	\??\H:	Setup.exe
File opened (read-only)	\??\L:	Setup.exe

Executes dropped EXE 1 IoCs

pid	Process
1596	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1672	CSPSetup-5.0.12000.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1596	Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1672	CSPSetup-5.0.12000.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1596	1672	CSPSetup-5.0.12000.exe	28
PID 1672 wrote to memory of 1596	1672	CSPSetup-5.0.12000.exe	28
PID 1672 wrote to memory of 1596	1672	CSPSetup-5.0.12000.exe	28
PID 1672 wrote to memory of 1596	1672	CSPSetup-5.0.12000.exe	28
PID 1672 wrote to memory of 1596	1672	CSPSetup-5.0.12000.exe	28
PID 1672 wrote to memory of 1596	1672	CSPSetup-5.0.12000.exe	28
PID 1672 wrote to memory of 1596	1672	CSPSetup-5.0.12000.exe	28

C:\Users\Admin\AppData\Local\Temp\CSPSetup-5.0.12000.exe
"C:\Users\Admin\AppData\Local\Temp\CSPSetup-5.0.12000.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1672
- C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\Setup.exe
  "C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\Setup.exe" -firstrundlg -root -restartcproctrl -stopmsiserver -disablerm -skipinstallvalidate
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\0408435EB90E5C8796A160E69E4BFAC453435D1D.cer

Filesize
1KB

MD5
56b3dd20751fd8d37f154313ea33408c

SHA1
0408435eb90e5c8796a160e69e4bfac453435d1d

SHA256
c51bcd9acef0c7ea60f7538ee802ae15b93720d88a403258639f61874e84baeb

SHA512
f9e6ab4feb36d1217a7ae2c9c2a59791501168e395e5e80429ace11b9f14f14c40174f257d8e742650418882ec3ea9b4d2b13ebc8c1303da3e835c759b5781f0

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\0932E483C4420E668F64D360006D0BEB0BFACCA7.cer

Filesize
1KB

MD5
57b8122b3f3dbb9af72032749fd3fd7c

SHA1
0932e483c4420e668f64d360006d0beb0bfacca7

SHA256
f3f53906a1db009003bfa9e307b8b428b266abdddba5bdb296561c185f5d178c

SHA512
bceb1bb1c46d90405ba00816f5acfff27a403218dafd3adcebd91605ff01e4cb0cfbab8d187ad7d1337341f14a46b14394804f2c896b06a87bd8a1e5b32029e1

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\13877A8BD34589567F9B9AFF6498026C0C29C617.cer

Filesize
1KB

MD5
25f843018deebe233154f7d3587b8a9c

SHA1
13877a8bd34589567f9b9aff6498026c0c29c617

SHA256
9006c4610f13ba6e0792c4bbdc27262d7c7db88e0587855da03911922f4dcb7b

SHA512
6cef2996d123ceae2210d04f2e7d7f3c3aaee2b92222bf7f994ba833ae816281c9fbd317394b751db78cf8d08e8b6a35b7ed5a10eb19f6d381e583b08cf66700

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\1B4158B9A7399FD8B90AE8A06FC676FB0624F97E.cer

Filesize
1KB

MD5
68a01739c1477c34520cd99c930a6d44

SHA1
1b4158b9a7399fd8b90ae8a06fc676fb0624f97e

SHA256
5f08c210d77cda988f4e6a173fed5bb1494fa94916fab68f03e0f8702c88118c

SHA512
54be25ce71d428519fc4ec7f11eed9a1aa3bb8268b85857df0ec9a45a9b597325f75c98ce686c21303989535ebccf84ee72dba01b1109cfd17e39354406a0f93

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\34E21FC04D3576B0ADA81FD081955E2778291CC5.cer

Filesize
1KB

MD5
1d93c83c1f31552b60a345d33f78a071

SHA1
34e21fc04d3576b0ada81fd081955e2778291cc5

SHA256
0d2af8a0b445e63cbd7d1ab63af8dc44ab4d69e1b8a2200373ebff57fab68350

SHA512
79b511b9298fc30585a760b9d170f67bc70ad95edf61eb60ada36b711bd7b940949772a4531769086c41e3657e6b6bade6757ecce0734bbf296c9f1646393621

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\4BC6DC14D97010C41A26E058AD851F81C842415A.cer

Filesize
1KB

MD5
8eabbb8f43ad8dc356ef493815e3c032

SHA1
4bc6dc14d97010c41a26e058ad851f81c842415a

SHA256
bae62b5b7bede326b06856fb67a2a471268f9f404e5b18fdf40261c3e63010b1

SHA512
3c7ec809a741857a5d8c93104254bd2293a622b5f5c450df7ba86cf34a7991c022b0a649b82deb3c1926c2df5e2d02caad7cad5dbb0a3851e25740f6326a3f3e

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\8CAE88BBFD404A7A53630864F9033606E1DC45E2.cer

Filesize
1KB

MD5
1b21b4ceca83307a069be994d8619bab

SHA1
8cae88bbfd404a7a53630864f9033606e1dc45e2

SHA256
4e450e4971f2d77d22567b55ecc2162b3dfd0d2fa6a8da8a92cdcabc80489b59

SHA512
a9ba9f9bf8791d69eeb957f7867e94c1888dd692db6a810eb776ce912e82a9300bacd49575c94a9362a3981373550bdfd9309674fdf7d4c6089ca231fc0e4517

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\9E78A331020E528C046FFD57704A21B7D2241CB3.cer

Filesize
1KB

MD5
2f5bf7c0ed8b74ce76f278a6b9f9782e

SHA1
9e78a331020e528c046ffd57704a21b7d2241cb3

SHA256
47bbfecbce120df263bc43c798e9fedc3987fd7ffc2b7e879ad19e7b0cf7c0ab

SHA512
3ff9159c2dcb92bbe81f742357489ab1e8f7b39631e7d705dc0e7c41bf4aa226241952b699e98b37cf39ccd979583f5bed4e3428fe67857561e3a0b018b8a5d9

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\AFF05C9E2464941E7EC2AB15C91539360B79AA9D.cer

Filesize
1KB

MD5
82250751e71cf2bf2c3793b514815dab

SHA1
aff05c9e2464941e7ec2ab15c91539360b79aa9d

SHA256
d5a17174722fa9719fe3e82a2bc0b9fd834c158603194c45a395dc66e02cd891

SHA512
f10e06ad699ba090fca3e30fd85fb66accfea6147d9bb7647fbe0e5df9dc2d3f645c8459f8a79089c91db13ac2ca4bd06649b069b24fecec4c491e7fad50ffc5

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\D24B37FCFBB979D2D4A5D1549EC4E2029D15D8A2.cer

Filesize
1KB

MD5
4c03edcd8e3d272fbf60741f99c893bb

SHA1
d24b37fcfbb979d2d4a5d1549ec4e2029d15d8a2

SHA256
60d00ab0fd3d8ac76e731646cfc707e29abefba5b9b16284d6aae6e06d22f833

SHA512
858b3de206f5fc92653e29a3d556df75e3b76e3e7c04bf93ea4ec47cc1ec14c1a025f9f6ce1a6e1ca6807deb628bd9a98f9f3ad975ea2b3c0efa0a46a21af575

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\F6B88598FF04D18C8132CFB074D9FB051CEC8A82.cer

Filesize
1KB

MD5
a05022a6780fc364d16efb5bd151e38b

SHA1
f6b88598ff04d18c8132cfb074d9fb051cec8a82

SHA256
76b1ee650e18c612b7e6aeacd70586f67ba299fb260d69cc94ee2aee4e8fed55

SHA512
a6555552a0480691d2dd6f5ab80a519142b2c982236a7412ab6b48f3e73fa381f0c29d2516c8c688cce70240650bb188e6879ce27a52a5d5a5084743e691e466

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\Setup.exe

Filesize
167KB

MD5
3c553354e359f899643230ee532118df

SHA1
57376a3d3275d024715b3292da18cf206e054197

SHA256
4f92b43f113bb739813e79e5ed10cffb2f3b85a452e66cdfe66063abc647ba1b

SHA512
72979187784aff443833cf2d9ebd69fc40739943282458f516483639ec9b3f80434539f3068bd887034e8ba8e42b9f8420c053684ac06501a453ad9fd2ee73b5

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\Setup.exe

Filesize
167KB

MD5
3c553354e359f899643230ee532118df

SHA1
57376a3d3275d024715b3292da18cf206e054197

SHA256
4f92b43f113bb739813e79e5ed10cffb2f3b85a452e66cdfe66063abc647ba1b

SHA512
72979187784aff443833cf2d9ebd69fc40739943282458f516483639ec9b3f80434539f3068bd887034e8ba8e42b9f8420c053684ac06501a453ad9fd2ee73b5

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\csp-win32-eng.msi

Filesize
1.2MB

MD5
00b6d6daa81f7a85eb0eec1951f3a5b9

SHA1
5b4bf0841aa16066f0d4873a9a39463c5bdeabd0

SHA256
bc8042f4a74c440abb28c7b198049019f29a3e6c2997400035fcc192862866c9

SHA512
d5bb90a163ea98138a56f57ed9862d8acf9be9925b4bea10ee6273ff48f2cb6115a54d092ef2d862acac2a1a459f9b6db8eea9fd4d0bce112aea1b504de94c55

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\csp-x64-eng.msi

Filesize
1.5MB

MD5
e912380c99ba544a3b40602f73bf92fe

SHA1
f2bf2c0578798b9f28a8dbbc165836150b32c4ca

SHA256
bb5c01534e4f20f1b26ae1357ff2a3e71b8996f930a733d9648c5f19c24d18bd

SHA512
39a66f8220b9827e3b069941fa73b7b6aeb1e08e7c059498d95a9915e5bf72ba2cce3d554e15f34553ef19363705235601c4ccf8349456625d1a98c3493606fa

Download Submit
C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\csp-x64-eng.msi

Filesize
1.5MB

MD5
e912380c99ba544a3b40602f73bf92fe

SHA1
f2bf2c0578798b9f28a8dbbc165836150b32c4ca

SHA256
bb5c01534e4f20f1b26ae1357ff2a3e71b8996f930a733d9648c5f19c24d18bd

SHA512
39a66f8220b9827e3b069941fa73b7b6aeb1e08e7c059498d95a9915e5bf72ba2cce3d554e15f34553ef19363705235601c4ccf8349456625d1a98c3493606fa

Download Submit
\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.12000\Setup.exe

Filesize
167KB

MD5
3c553354e359f899643230ee532118df

SHA1
57376a3d3275d024715b3292da18cf206e054197

SHA256
4f92b43f113bb739813e79e5ed10cffb2f3b85a452e66cdfe66063abc647ba1b

SHA512
72979187784aff443833cf2d9ebd69fc40739943282458f516483639ec9b3f80434539f3068bd887034e8ba8e42b9f8420c053684ac06501a453ad9fd2ee73b5

Download Submit
memory/1596-408-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1596-409-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download