e13c66ae1d4df6f6b364aa1ab9b305bff536c16701d18e0544d7498fa5fa90ab

Analysis

max time kernel
254s
max time network
318s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ClientSetup.exe
Size

3.6MB
MD5

3439fab56ae86d13e751a7df5715b339
SHA1

01c4d24db6fbb4a6fbe15f1f61e3fb95a519daad
SHA256

6b6fee52bd65eedfb3552f948e5aa360e0582707755537861e62ac01e31aac4f
SHA512

b9ec4c64edf406cabcd98540cecb4bc0efad4ddfd37ac193f33a50b66fd8985e7252571b6c9a1382b335240cfadf9cebb8f6ac72269ed979c1786fbcb5f3436c
SSDEEP

49152:hxBb3umRcMuNvYMyeTIzRG2Ucc4qwmepiAYVvCfZRXy/kPZk42Hzu8+aheU25Yo8:hz3WN/+VqwbpjcSisFGwnVy

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
748	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
2788	ClientSetup.exe
748	setup.exe
748	setup.exe
748	setup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001000000000b1f5-9.dat	upx
behavioral1/memory/2788-11-0x0000000002E60000-0x0000000002ED1000-memory.dmp	upx
behavioral1/memory/748-18-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/748-24-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 748	2788	ClientSetup.exe	28
PID 2788 wrote to memory of 748	2788	ClientSetup.exe	28
PID 2788 wrote to memory of 748	2788	ClientSetup.exe	28
PID 2788 wrote to memory of 748	2788	ClientSetup.exe	28
PID 2788 wrote to memory of 748	2788	ClientSetup.exe	28
PID 2788 wrote to memory of 748	2788	ClientSetup.exe	28
PID 2788 wrote to memory of 748	2788	ClientSetup.exe	28

C:\Users\Admin\AppData\Local\Temp\ClientSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ClientSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\ae12685\setup.exe
  C:\Users\Admin\AppData\Local\Temp\ae12685\setup.exe -d "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ae12685\Setup.ini

Filesize
3KB

MD5
27f3a31ac59d75dc1948eb8078ad8b12

SHA1
1192000d9facaf1acf4ed81495f830ff4daff6a2

SHA256
eeb9c78faa5eb391aea33d2f155a689256b8b4162ca989375604b2ad5815a490

SHA512
bc3d1984c7393e941f53e748e7683426ce2a158c3ab774b4fe667a7c7d4bd35ed18f77d5b082a874f0827e0b0ef177e8ed06ea86d9f3c0acddb3ddec44590b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae12685\setup.bmp

Filesize
88KB

MD5
c668aaccad0683f829699ed82caded1a

SHA1
502845d1da318e3f91e3f0589a5a05dfdf218d05

SHA256
b74de4075e086f1a8ab95ed5561a1518c729e3035b86cddb182f21742afd7848

SHA512
41168d812b82598d431adb5ba25b3362df4fc975c237a218cd1917fc95fcb81c1445de3062c79ece2c0078d7aa24e6854bfee43495086bb3b5ef0338953060eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae12685\¼òÌåÖÐÎÄ.dat

Filesize
4KB

MD5
b02bab409baabb2f432a9deb588edc75

SHA1
485b21647b8037864e35e4fa6fb268ba50883fd5

SHA256
a00b95f9e9b0e3f7fb145eabd68be1688cab81adb399c23d8810ed0fc3e0293d

SHA512
484c86c43a3a2e978e150b12cbf7948492a60aee49eff581574b5845d31c58998066dac8332ffd38ce1106778405e0cbd6622c8bf06b7877fa7c0ca777a9f17c

Download Submit
\Users\Admin\AppData\Local\Temp\ae12685\setup.exe

Filesize
149KB

MD5
808e84852804a6a0a036edf798428f6c

SHA1
8b8923c86da2bd7fbe15bf8ec0178fa210b06e8e

SHA256
2208362d112c755d569a03e28282b30dd53ddd79fe44dcde6ecad23ea82b37b2

SHA512
9df79af8b7fd4945ffc58122063ba797b39a905f1665ce4c802a30bf8c721e1498296862fee0aa9291456aae0f6bc6634a5303ac22b336f927ba290c25b4ef6a

Download Submit
memory/748-18-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/748-19-0x0000000000230000-0x00000000002A1000-memory.dmp

Filesize
452KB

Download
memory/748-20-0x0000000000230000-0x00000000002A1000-memory.dmp

Filesize
452KB

Download
memory/748-24-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/748-26-0x0000000000230000-0x00000000002A1000-memory.dmp

Filesize
452KB

Download
memory/2788-11-0x0000000002E60000-0x0000000002ED1000-memory.dmp

Filesize
452KB

Download