e13c66ae1d4df6f6b364aa1ab9b305bff536c16701d18e0544d7498fa5fa90ab

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ClientSetup.exe
Size

3.6MB
MD5

3439fab56ae86d13e751a7df5715b339
SHA1

01c4d24db6fbb4a6fbe15f1f61e3fb95a519daad
SHA256

6b6fee52bd65eedfb3552f948e5aa360e0582707755537861e62ac01e31aac4f
SHA512

b9ec4c64edf406cabcd98540cecb4bc0efad4ddfd37ac193f33a50b66fd8985e7252571b6c9a1382b335240cfadf9cebb8f6ac72269ed979c1786fbcb5f3436c
SSDEEP

49152:hxBb3umRcMuNvYMyeTIzRG2Ucc4qwmepiAYVvCfZRXy/kPZk42Hzu8+aheU25Yo8:hz3WN/+VqwbpjcSisFGwnVy

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2540	setup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2540-12-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/files/0x0007000000023202-11.dat	upx
behavioral2/memory/2540-16-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2540	5068	ClientSetup.exe	21
PID 5068 wrote to memory of 2540	5068	ClientSetup.exe	21
PID 5068 wrote to memory of 2540	5068	ClientSetup.exe	21

C:\Users\Admin\AppData\Local\Temp\ClientSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ClientSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\ae12097\setup.exe
  C:\Users\Admin\AppData\Local\Temp\ae12097\setup.exe -d "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Executes dropped EXE
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ae12097\Setup.ini

Filesize
3KB

MD5
27f3a31ac59d75dc1948eb8078ad8b12

SHA1
1192000d9facaf1acf4ed81495f830ff4daff6a2

SHA256
eeb9c78faa5eb391aea33d2f155a689256b8b4162ca989375604b2ad5815a490

SHA512
bc3d1984c7393e941f53e748e7683426ce2a158c3ab774b4fe667a7c7d4bd35ed18f77d5b082a874f0827e0b0ef177e8ed06ea86d9f3c0acddb3ddec44590b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae12097\setup.exe

Filesize
149KB

MD5
808e84852804a6a0a036edf798428f6c

SHA1
8b8923c86da2bd7fbe15bf8ec0178fa210b06e8e

SHA256
2208362d112c755d569a03e28282b30dd53ddd79fe44dcde6ecad23ea82b37b2

SHA512
9df79af8b7fd4945ffc58122063ba797b39a905f1665ce4c802a30bf8c721e1498296862fee0aa9291456aae0f6bc6634a5303ac22b336f927ba290c25b4ef6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae12097\¼òÌåÖÐÎÄ.dat

Filesize
4KB

MD5
b02bab409baabb2f432a9deb588edc75

SHA1
485b21647b8037864e35e4fa6fb268ba50883fd5

SHA256
a00b95f9e9b0e3f7fb145eabd68be1688cab81adb399c23d8810ed0fc3e0293d

SHA512
484c86c43a3a2e978e150b12cbf7948492a60aee49eff581574b5845d31c58998066dac8332ffd38ce1106778405e0cbd6622c8bf06b7877fa7c0ca777a9f17c

Download Submit
memory/2540-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2540-16-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download