14cd4107d41d6a58c3f5af24af7a18f1b4ec06e4e4b09baf2199cdf60bc3fb47

Analysis

max time kernel
4s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4487cdfd6247907fef7f7a2579e60a5e.exe
Size

791KB
MD5

4487cdfd6247907fef7f7a2579e60a5e
SHA1

7e52416b0efefd459feee191d6651a39a24cdf3a
SHA256

14cd4107d41d6a58c3f5af24af7a18f1b4ec06e4e4b09baf2199cdf60bc3fb47
SHA512

959ccf204ecefcf7afdfc5373467796c5efca1cc17e9eee4fb1cb5cb08a85c15dfed1306c3a9440b9a66bb3fee007e70edbff320e56cb61e65f1820858d538b6
SSDEEP

12288:70gVy90eHGesA35KRlj9psCtrTLTMvX1nmbkFxWJMao4pmlEbr9xk+b3K:4uyz2A35YskrvTQlmSkJzHbr/a

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.EXE

Executes dropped EXE 1 IoCs

pid	Process
2828	Setup.EXE

Loads dropped DLL 1 IoCs

pid	Process
760	4487cdfd6247907fef7f7a2579e60a5e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 1 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Setup.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
760	4487cdfd6247907fef7f7a2579e60a5e.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2828	Setup.EXE
2828	Setup.EXE
2828	Setup.EXE
2828	Setup.EXE
2828	Setup.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 2828	760	4487cdfd6247907fef7f7a2579e60a5e.exe	28
PID 760 wrote to memory of 2828	760	4487cdfd6247907fef7f7a2579e60a5e.exe	28
PID 760 wrote to memory of 2828	760	4487cdfd6247907fef7f7a2579e60a5e.exe	28
PID 760 wrote to memory of 2828	760	4487cdfd6247907fef7f7a2579e60a5e.exe	28
PID 760 wrote to memory of 2828	760	4487cdfd6247907fef7f7a2579e60a5e.exe	28
PID 760 wrote to memory of 2828	760	4487cdfd6247907fef7f7a2579e60a5e.exe	28
PID 760 wrote to memory of 2828	760	4487cdfd6247907fef7f7a2579e60a5e.exe	28

C:\Users\Admin\AppData\Local\Temp\4487cdfd6247907fef7f7a2579e60a5e.exe
"C:\Users\Admin\AppData\Local\Temp\4487cdfd6247907fef7f7a2579e60a5e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:760
- C:\Users\Admin\AppData\Local\Temp\Setup.EXE
  C:\Users\Admin\AppData\Local\Temp\\Setup.EXE
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of SetWindowsHookEx
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup.EXE

Filesize
97KB

MD5
05f02f943adf049013a116c28dda54b8

SHA1
0c4320895f47cb8f8e6450b0b4a96ca752c07616

SHA256
7b7f4d7c3c4f85f5b6c20f335a995ce9ea3c78a412699786064902b43e0c7a1d

SHA512
e5906eea0297c11b89c67a03ca3299c105c5224f94275bfb08a8b5e9dffdd5febf541d3d055d0bf657656b27d34af33fe316877d5f36de6238134246e259826d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
155KB

MD5
1d65f7035a0d908a72aafe0361583a85

SHA1
c6b614da0a25e1b6bbaea04876205d36ce6388d9

SHA256
12fe5e84478b1c8f8eddc7259ca8a83f250d4d1e2ba7e90ce568b0c0fca39298

SHA512
ae866299f57411aed89fcb0a73e0fab446263981ae3e41522f41959029e61a63b1aad35b930a6baf8ab28cebceb22a7a5aadddb6f842680c530eb5d68c74a8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.exe

Filesize
45KB

MD5
f253bc16fe3a083d621d36dbdbae9ec3

SHA1
79b3fa31f420c44c96ff137e56353884ed35ca60

SHA256
230150019c9dab3aca4c9d596ef8a2d3703194b46927b0580891c78dbe2fbee8

SHA512
4cae4c743c507053dd6a96a55ddc2c04de539e5b9471b421ef8adf2c54e77b5ff8aaa65c4c3e85ded77c75d8f92d6d4351afe92e343cf11b9f69a65b732f82a2

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
140KB

MD5
1e283e4402c96ffb795b8bdd6d1ce1e4

SHA1
7ecbdf9f496829fdf3da60885fcb9435ed172d19

SHA256
1b78c251106ee43133e82112d9e1f69337e51f73b62064740153d0e65260cc1f

SHA512
e8914140a6f53e25e85fd0a2d1b46db73f5b5c2d144a2b7157d5c6a131aedb2bd866308ed3987a0370c164279aeca771cd84b05fb42f17328c1c3e456f24a709

Download Submit
memory/760-1-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads