690c8a63769d444fad47b7ddecee7f24c9333aa735d0bd46587d0df5cf15cde5

Analysis

max time kernel
88s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MediaCreationTool22H2.exe
Size

18.6MB
MD5

aa2ad37bb74c05a49417e3d2f1bd89ce
SHA1

1bf5f814ffe801b4e6f118e829c0d2821d78a60a
SHA256

690c8a63769d444fad47b7ddecee7f24c9333aa735d0bd46587d0df5cf15cde5
SHA512

fab34ccbefbcdcec8f823840c16ae564812d0e063319c4eb4cc1112cf775b8764fea59d0bbafd4774d84b56e08c24056fa96f27425c4060e12eb547c2ae086cc
SSDEEP

196608:MmtHa+5hH1km/Sf7byFXKEBmih9S5rQ5FNFl001p4Ki:Y+5RB/SDbyFBH9eQD/l00/4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	SetupHost.Exe

Executes dropped EXE 1 IoCs

pid	Process
3872	SetupHost.Exe

Loads dropped DLL 9 IoCs

pid	Process
3872	SetupHost.Exe
3872	SetupHost.Exe
3872	SetupHost.Exe
3872	SetupHost.Exe
3872	SetupHost.Exe
3872	SetupHost.Exe
3872	SetupHost.Exe
3872	SetupHost.Exe
3872	SetupHost.Exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	MediaCreationTool22H2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2624	MediaCreationTool22H2.exe
Token: SeRestorePrivilege	2624	MediaCreationTool22H2.exe
Token: SeBackupPrivilege	2624	MediaCreationTool22H2.exe
Token: SeRestorePrivilege	2624	MediaCreationTool22H2.exe
Token: SeBackupPrivilege	3872	SetupHost.Exe
Token: SeRestorePrivilege	3872	SetupHost.Exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2624	MediaCreationTool22H2.exe
3872	SetupHost.Exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 3872	2624	MediaCreationTool22H2.exe	90
PID 2624 wrote to memory of 3872	2624	MediaCreationTool22H2.exe	90
PID 2624 wrote to memory of 3872	2624	MediaCreationTool22H2.exe	90

C:\Users\Admin\AppData\Local\Temp\MediaCreationTool22H2.exe
"C:\Users\Admin\AppData\Local\Temp\MediaCreationTool22H2.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- C:\$Windows.~WS\Sources\SetupHost.Exe
  "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3872

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

Filesize
14.9MB

MD5
bdbd14f60fc78edca16a022c9801cf70

SHA1
e24ce3852cc9d42296c3fd550735069b86d7518a

SHA256
a2679d717db07f43d81f895e508520e01cd0262f1be5870333d12ce71fe02db4

SHA512
6d6aa6aa8108d49347b4d5b40c632e568d44805d6352b517363262a408f7e04cafb3a66d1cb121bf920df080c7119401c454f90ba9a47ffe593ce9cb11da78b8

Download Submit
C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

Filesize
14.9MB

MD5
bdbd14f60fc78edca16a022c9801cf70

SHA1
e24ce3852cc9d42296c3fd550735069b86d7518a

SHA256
a2679d717db07f43d81f895e508520e01cd0262f1be5870333d12ce71fe02db4

SHA512
6d6aa6aa8108d49347b4d5b40c632e568d44805d6352b517363262a408f7e04cafb3a66d1cb121bf920df080c7119401c454f90ba9a47ffe593ce9cb11da78b8

Download Submit
C:\$Windows.~WS\Sources\SetupCore.dll

Filesize
2.1MB

MD5
55a4344e76136460be2c8547c38567b4

SHA1
83400b9a3bc4f1d935258a80b3e7636baaa618cb

SHA256
a9ac64ec515d04589dfc38b25d68d01f281bbb794d0df9ec4205fe473703aef5

SHA512
a8ad61caf69891ee31c48401ec87d3bb92db5e64c9fe878ee33e072fd6e5406db9a747485d1cf93f615072e6c565c36715700571dcd974c6eb7a76a7630d0f43

Download Submit
C:\$Windows.~WS\Sources\SetupCore.dll

Filesize
2.1MB

MD5
55a4344e76136460be2c8547c38567b4

SHA1
83400b9a3bc4f1d935258a80b3e7636baaa618cb

SHA256
a9ac64ec515d04589dfc38b25d68d01f281bbb794d0df9ec4205fe473703aef5

SHA512
a8ad61caf69891ee31c48401ec87d3bb92db5e64c9fe878ee33e072fd6e5406db9a747485d1cf93f615072e6c565c36715700571dcd974c6eb7a76a7630d0f43

Download Submit
C:\$Windows.~WS\Sources\SetupHost.Exe

Filesize
682KB

MD5
a5d94f9587f97e9c674447447721b77f

SHA1
1c130f95c82ab28a4a11a7ed41eb9ea9f613a339

SHA256
f33e7bce0ca712baac95557823096f929f78927e521c0448ed237f429141efd9

SHA512
e5e35480a489b0f63a2938a1c4ea19aca197a16020bb330662b62e98759fb5f7b6056416dc1d8894e433607c5b4fb3e7ae61f0d2fa3c7455dd000916ec3d5d62

Download Submit
C:\$Windows.~WS\Sources\SetupHost.exe

Filesize
682KB

MD5
a5d94f9587f97e9c674447447721b77f

SHA1
1c130f95c82ab28a4a11a7ed41eb9ea9f613a339

SHA256
f33e7bce0ca712baac95557823096f929f78927e521c0448ed237f429141efd9

SHA512
e5e35480a489b0f63a2938a1c4ea19aca197a16020bb330662b62e98759fb5f7b6056416dc1d8894e433607c5b4fb3e7ae61f0d2fa3c7455dd000916ec3d5d62

Download Submit
C:\$Windows.~WS\Sources\SetupMgr.dll

Filesize
729KB

MD5
59d1a173f6b27a8a1cc367ca9ff6e560

SHA1
15b2c60011d97b99c4cd2eedb62ccab14d748df6

SHA256
45c2ee2387026a50f0c6b9c9119f39b6d2b6505312dbdf352399fd41e8deb78f

SHA512
a14d89fcf4964f7929936a16c0ef9d4896d14913b3e5bc050cd7044a1a0da50e58520de80a7966832f514365d031012d0e1829cd7b93d1b547812f8abbcf7557

Download Submit
C:\$Windows.~WS\Sources\SetupMgr.dll

Filesize
729KB

MD5
59d1a173f6b27a8a1cc367ca9ff6e560

SHA1
15b2c60011d97b99c4cd2eedb62ccab14d748df6

SHA256
45c2ee2387026a50f0c6b9c9119f39b6d2b6505312dbdf352399fd41e8deb78f

SHA512
a14d89fcf4964f7929936a16c0ef9d4896d14913b3e5bc050cd7044a1a0da50e58520de80a7966832f514365d031012d0e1829cd7b93d1b547812f8abbcf7557

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.dll

Filesize
6.9MB

MD5
0db2eb7b159d7289dfbdf3ca29d44704

SHA1
57a9aa7409a9040a701855bf610f68e5a9cfea24

SHA256
cbeec25c578f4e8eae81bb8829c3b7bc81648da6f63eeb4a606b9a66660d6d91

SHA512
8eada149f0c90df794d26efe8af2c90df1b8172b33ccc6639f3f1a18671aa34493a6d466b4bf2357075094bc13129e5001623b2388c39ed6fa4239b4e9ef6328

Download Submit
C:\$Windows.~WS\Sources\WDSCORE.dll

Filesize
196KB

MD5
07f3fac5518c90b22dfb9778ea280d0a

SHA1
6d20ff953a0c5aabc1970e80a5f96aedd830db9b

SHA256
65467bf1fbf10c2a399fe532b780f3604fda5b00db8319787cb6867bede4b90e

SHA512
f86447c3dd0ad11022b208ba04c7b62cddf57b1035f4b1e18aae3e6764b6dce53fbeaa68cb5ce3ab75ba08293474dc18e9a3f5ce6df43a01701abd9180e07ace

Download Submit
C:\$Windows.~WS\Sources\WINDLP.DLL

Filesize
1.1MB

MD5
6f12ba2d5cb564f73d9813d105e5c1fe

SHA1
b634e34149f99f4336efc0c5de5e850c61be48e1

SHA256
26b66b81267dfda7a78890f20a4ed0d104db1cd350d2d9f649fdb496b6c11333

SHA512
4462f38b0a4eca1d09eb747853cc15c804e2e42e91812604a0aef25de06d5fa5a5a4d79731aeb462f61ed46d63dd904d0a943919aabd5adb771f94c63e6a175a

Download Submit
C:\$Windows.~WS\Sources\WinDlp.dll

Filesize
1.1MB

MD5
6f12ba2d5cb564f73d9813d105e5c1fe

SHA1
b634e34149f99f4336efc0c5de5e850c61be48e1

SHA256
26b66b81267dfda7a78890f20a4ed0d104db1cd350d2d9f649fdb496b6c11333

SHA512
4462f38b0a4eca1d09eb747853cc15c804e2e42e91812604a0aef25de06d5fa5a5a4d79731aeb462f61ed46d63dd904d0a943919aabd5adb771f94c63e6a175a

Download Submit
C:\$Windows.~WS\Sources\setupplatform.cfg

Filesize
10KB

MD5
033e7adc314c248cc29a9f14906c21e5

SHA1
6b31f8a23514b4e98217cd05be08e7967eca7048

SHA256
c40fddbb16853406d12d30e01e170de8474728bb8ec24794db721de0a7f67927

SHA512
46b46d548f5a2269e886a9f6873d97549eeb92c7294114c62baf7805ac423e4d3aa3a50cd7b3294be03e22c271f6bef1134adf797d9f838962ef5b42e8ecd19e

Download Submit
C:\$Windows.~WS\Sources\setupplatform.dll

Filesize
6.9MB

MD5
0db2eb7b159d7289dfbdf3ca29d44704

SHA1
57a9aa7409a9040a701855bf610f68e5a9cfea24

SHA256
cbeec25c578f4e8eae81bb8829c3b7bc81648da6f63eeb4a606b9a66660d6d91

SHA512
8eada149f0c90df794d26efe8af2c90df1b8172b33ccc6639f3f1a18671aa34493a6d466b4bf2357075094bc13129e5001623b2388c39ed6fa4239b4e9ef6328

Download Submit
C:\$Windows.~WS\Sources\setupplatform.dll

Filesize
6.9MB

MD5
0db2eb7b159d7289dfbdf3ca29d44704

SHA1
57a9aa7409a9040a701855bf610f68e5a9cfea24

SHA256
cbeec25c578f4e8eae81bb8829c3b7bc81648da6f63eeb4a606b9a66660d6d91

SHA512
8eada149f0c90df794d26efe8af2c90df1b8172b33ccc6639f3f1a18671aa34493a6d466b4bf2357075094bc13129e5001623b2388c39ed6fa4239b4e9ef6328

Download Submit
C:\$Windows.~WS\Sources\unbcl.dll

Filesize
816KB

MD5
5d52a4efac5b4b7530b388aeb6f9cb67

SHA1
4b5d32a6caecec6e261f5ba7bae392609a6a0f65

SHA256
137eca75b268556503e26cd5987dddac5eb0831ed4ce5ea3b0d34b5645a31abd

SHA512
f7f88c4229c97bf598f995cf31a8adff73089ef8d26143cc839a30d63221fb66b185e12ae20bc17f14712723bb20c34f6e546f6be961164deeae268703322756

Download Submit
C:\$Windows.~WS\Sources\unbcl.dll

Filesize
816KB

MD5
5d52a4efac5b4b7530b388aeb6f9cb67

SHA1
4b5d32a6caecec6e261f5ba7bae392609a6a0f65

SHA256
137eca75b268556503e26cd5987dddac5eb0831ed4ce5ea3b0d34b5645a31abd

SHA512
f7f88c4229c97bf598f995cf31a8adff73089ef8d26143cc839a30d63221fb66b185e12ae20bc17f14712723bb20c34f6e546f6be961164deeae268703322756

Download Submit
C:\$Windows.~WS\Sources\unbcl.dll

Filesize
816KB

MD5
5d52a4efac5b4b7530b388aeb6f9cb67

SHA1
4b5d32a6caecec6e261f5ba7bae392609a6a0f65

SHA256
137eca75b268556503e26cd5987dddac5eb0831ed4ce5ea3b0d34b5645a31abd

SHA512
f7f88c4229c97bf598f995cf31a8adff73089ef8d26143cc839a30d63221fb66b185e12ae20bc17f14712723bb20c34f6e546f6be961164deeae268703322756

Download Submit
C:\$Windows.~WS\Sources\wdscore.dll

Filesize
196KB

MD5
07f3fac5518c90b22dfb9778ea280d0a

SHA1
6d20ff953a0c5aabc1970e80a5f96aedd830db9b

SHA256
65467bf1fbf10c2a399fe532b780f3604fda5b00db8319787cb6867bede4b90e

SHA512
f86447c3dd0ad11022b208ba04c7b62cddf57b1035f4b1e18aae3e6764b6dce53fbeaa68cb5ce3ab75ba08293474dc18e9a3f5ce6df43a01701abd9180e07ace

Download Submit