e13c66ae1d4df6f6b364aa1ab9b305bff536c16701d18e0544d7498fa5fa90ab

Analysis

max time kernel
142s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ServerSetup.exe
Size

2.0MB
MD5

78b620c7ac858e87b39bf02d7b2086a3
SHA1

bfb3052ac0690ea93a9558dc14eb1baead2526bd
SHA256

bc25ea0accfc2382cde4574f2e0aa65ab62134bcc0398a7f6ba302501e555a2f
SHA512

d0c20d3a3c1f8c5e2466022dfb03a92debfa9aaae0f5250fedb1214c34d8892fda792d7e4cd03f588b7c5dd0e81c9d30fea9eb10f12c4b947d5a1d56026e2ffd
SSDEEP

49152:hi1pRP506e7tc2juZF4EQqKxScDa7VwU2aYogi6O:huP57e5c26D4EQrScDMnVN

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2424	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
2400	ServerSetup.exe
2424	setup.exe
2424	setup.exe
2424	setup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000b0000000155e6-9.dat	upx
behavioral3/memory/2400-11-0x00000000020C0000-0x0000000002131000-memory.dmp	upx
behavioral3/memory/2424-14-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral3/memory/2424-23-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2424	2400	ServerSetup.exe	28
PID 2400 wrote to memory of 2424	2400	ServerSetup.exe	28
PID 2400 wrote to memory of 2424	2400	ServerSetup.exe	28
PID 2400 wrote to memory of 2424	2400	ServerSetup.exe	28
PID 2400 wrote to memory of 2424	2400	ServerSetup.exe	28
PID 2400 wrote to memory of 2424	2400	ServerSetup.exe	28
PID 2400 wrote to memory of 2424	2400	ServerSetup.exe	28

C:\Users\Admin\AppData\Local\Temp\ServerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ServerSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\ae12120\setup.exe
  C:\Users\Admin\AppData\Local\Temp\ae12120\setup.exe -d "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ae12120\Setup.ini

Filesize
7KB

MD5
b3bec8f95371e2e88f0d57a6766c3a8b

SHA1
e587bb6186ccef73baafe238ad17182229132c69

SHA256
ab039729077f4e2dae82285a6d01906838e424faa18b7781b8856f2f9707cac0

SHA512
6fbc1d1c41e46e8c69b279264dfd705cdea2918e784ad05de1b422f137f21fc4cf7f72271ea89383b6a5cc1637e43fbeda270ac9b47c0cb9b263f877fe9587c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae12120\setup.bmp

Filesize
88KB

MD5
c668aaccad0683f829699ed82caded1a

SHA1
502845d1da318e3f91e3f0589a5a05dfdf218d05

SHA256
b74de4075e086f1a8ab95ed5561a1518c729e3035b86cddb182f21742afd7848

SHA512
41168d812b82598d431adb5ba25b3362df4fc975c237a218cd1917fc95fcb81c1445de3062c79ece2c0078d7aa24e6854bfee43495086bb3b5ef0338953060eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae12120\¼òÌåÖÐÎÄ.dat

Filesize
4KB

MD5
b02bab409baabb2f432a9deb588edc75

SHA1
485b21647b8037864e35e4fa6fb268ba50883fd5

SHA256
a00b95f9e9b0e3f7fb145eabd68be1688cab81adb399c23d8810ed0fc3e0293d

SHA512
484c86c43a3a2e978e150b12cbf7948492a60aee49eff581574b5845d31c58998066dac8332ffd38ce1106778405e0cbd6622c8bf06b7877fa7c0ca777a9f17c

Download Submit
\Users\Admin\AppData\Local\Temp\ae12120\setup.exe

Filesize
149KB

MD5
808e84852804a6a0a036edf798428f6c

SHA1
8b8923c86da2bd7fbe15bf8ec0178fa210b06e8e

SHA256
2208362d112c755d569a03e28282b30dd53ddd79fe44dcde6ecad23ea82b37b2

SHA512
9df79af8b7fd4945ffc58122063ba797b39a905f1665ce4c802a30bf8c721e1498296862fee0aa9291456aae0f6bc6634a5303ac22b336f927ba290c25b4ef6a

Download Submit
memory/2400-11-0x00000000020C0000-0x0000000002131000-memory.dmp

Filesize
452KB

Download
memory/2424-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2424-19-0x0000000000230000-0x00000000002A1000-memory.dmp

Filesize
452KB

Download
memory/2424-23-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download