c9ab78536608b4ee4a7e3ac544cfc1eb8c5bec1e15f1a81fee7d20c6a4882010

Analysis

max time kernel
191s
max time network
158s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.8MB
MD5

841451e01863ba09a3a7327da616e642
SHA1

735a3eb50f247fe6bd13e8a8f40eb8741f19642c
SHA256

7dbe11f7b8cbc7f7eba8311ae51cdb6c8def800f04401c44306b04de812cb927
SHA512

2b17d0fec6124ca778e4a0ba761501f138dbe2e7010dcfe0c3b036ce706b3ba9bc3fba0e1f8aeccc25c6cf2d17c69650feeffc91736af69ecc0d35cfe427bc4b
SSDEEP

49152:gGpT0dFZSi7Tb4T7xC/4K20TT2xzBpux3y1rs3xHE/lz0:9pIdSiruo/4K20TT2xlMk9CdEC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2676	is-RDG3L.tmp

Loads dropped DLL 4 IoCs

pid	Process
2544	setup.exe
2676	is-RDG3L.tmp
2676	is-RDG3L.tmp
2676	is-RDG3L.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	is-RDG3L.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2676	2544	setup.exe	29
PID 2544 wrote to memory of 2676	2544	setup.exe	29
PID 2544 wrote to memory of 2676	2544	setup.exe	29
PID 2544 wrote to memory of 2676	2544	setup.exe	29
PID 2544 wrote to memory of 2676	2544	setup.exe	29
PID 2544 wrote to memory of 2676	2544	setup.exe	29
PID 2544 wrote to memory of 2676	2544	setup.exe	29

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\is-U6KA6.tmp\is-RDG3L.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-U6KA6.tmp\is-RDG3L.tmp" /SL4 $4015E "C:\Users\Admin\AppData\Local\Temp\setup.exe" 1595381 49664
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-U6KA6.tmp\is-RDG3L.tmp

Filesize
357KB

MD5
b70eb52c748360109f929037ab1b21aa

SHA1
b4efa7389848c3345a365547f6de31d3535a7869

SHA256
4d8d3e10bfd9cf62d0af5afe77e33ca78e68bea5742a382cabc2fa19d9a2f745

SHA512
b5c0e80c0fd5442558fe7b50296beba25e53cbe41ba4ce16d2d9f705259cb8ca011a440f765cb3255059ca8c46c8c7cce8676a62de8a499578aff7723d3dff14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U6KA6.tmp\is-RDG3L.tmp

Filesize
640KB

MD5
8cd4fecf8aaab5a7fac8fc7f3a317811

SHA1
09296b0c507923a9211e87bb4a8198902e2ec94e

SHA256
dcd512ea07739c4a9bd5b3aed0f4ac4d8528c1b95270fd4482150e4c067122a8

SHA512
fd52a418bb44fe5ca147d67848824293d530b7431747438d68cf1775aa0a8208c5cefb5f73a34f80f3c35769982067b28cc3af9f95117be338571cd8afcd31a0

Download Submit
\Users\Admin\AppData\Local\Temp\is-BPCLK.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-BPCLK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-U6KA6.tmp\is-RDG3L.tmp

Filesize
320KB

MD5
be6914cc0b7c94d87526f4de0d74cff4

SHA1
24c624d8291f706df6d568173f913b231367bb87

SHA256
1d5205c962ceacd7a9fabeffe0c39217dc682f3f474b140d3f36680e18810dc4

SHA512
c894086e14d2b29cc78be8107bcdd453614743b2a47820e9f1269ed512f1f219cdec24a5809f4e081c7f1c27f6126de7cd2382fbeedd35266f814cb26d75bbae

Download Submit
memory/2544-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2544-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2544-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2676-20-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download