7de34b228cc9adbba044a0a12c86e025e590f667e886f2f94c7d21c159b3b314

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SETUP.exe
Size

1.9MB
MD5

3340bab1c2c7a13dd12e9376dcc5cdc5
SHA1

863ef53a424112eb4387f36c1c7a72910073354f
SHA256

b75ec66a93df2eff82d2feace99d7e1ad3972258eb5294c0aabb144a7c16851b
SHA512

81e4b755a18d9407382b36dd2fabdc759a55b59b23e9ca7ff46c9b16cbaaedbaf70887bad302ceba0e6c679006fb97f1e8dc2a76b9551427ea1198fb4c5a7ab4
SSDEEP

24576:mDdU+YdDjh2vZpRgebJB4Qf+8Q173lQVKjQ3Ouka5T7bVdgX5+GbQ50of0HlRLZo:0dwuFW8QdywPubv4p+8i0ofcpV3o

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2724	setup.exe
2584	setup.exe

Loads dropped DLL 17 IoCs

pid	Process
3060	SETUP.exe
2724	setup.exe
2724	setup.exe
2724	setup.exe
2724	setup.exe
2584	setup.exe
2584	setup.exe
2584	setup.exe
2584	setup.exe
2584	setup.exe
2584	setup.exe
2584	setup.exe
2584	setup.exe
2584	setup.exe
2584	setup.exe
2584	setup.exe
2584	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\isp3A16.tmp\temp.000	setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\isp3A76.tmp\temp.000	setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iKe3AF6.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iKe3AF6.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2724	3060	SETUP.exe	28
PID 3060 wrote to memory of 2724	3060	SETUP.exe	28
PID 3060 wrote to memory of 2724	3060	SETUP.exe	28
PID 3060 wrote to memory of 2724	3060	SETUP.exe	28
PID 3060 wrote to memory of 2724	3060	SETUP.exe	28
PID 3060 wrote to memory of 2724	3060	SETUP.exe	28
PID 3060 wrote to memory of 2724	3060	SETUP.exe	28
PID 2724 wrote to memory of 2584	2724	setup.exe	29
PID 2724 wrote to memory of 2584	2724	setup.exe	29
PID 2724 wrote to memory of 2584	2724	setup.exe	29
PID 2724 wrote to memory of 2584	2724	setup.exe	29
PID 2724 wrote to memory of 2584	2724	setup.exe	29
PID 2724 wrote to memory of 2584	2724	setup.exe	29
PID 2724 wrote to memory of 2584	2724	setup.exe	29

C:\Users\Admin\AppData\Local\Temp\SETUP.exe
"C:\Users\Admin\AppData\Local\Temp\SETUP.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\setup.exe
    -deleter
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_isdelet.ini

Filesize
155B

MD5
a940efe6112ccd043e137096444f4134

SHA1
f8ec6cbf8ebb9895b714b10972a843b01a1a3103

SHA256
62ddcd0de32e686d178aeaa9068298c52a6df19949bcb972af047ac69362dec0

SHA512
14b0ad1943843439be49673e0a1b3e183d417c82ebbad437f8139e51ad99e279f2af0ccddca1d5e7c5dfee5b08be83c9b00879ff7fd8c89c6d73a6fbbec3a583

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp392A.tmp\Setup.dll

Filesize
264KB

MD5
7f0e7fc1dc4b20bab20497d670761c6e

SHA1
16f2795a58ffb8481e1258d6e4e026bff56c9d90

SHA256
5a45fb7bba2bc79cbc66e657ce56b110538d5537b59ecf320baa053beea6d1e6

SHA512
c07d887dd73d24fae0c40ff511e3ffeeb2622d074e3224bad30416837e149ba96e49252436ea27612da7697d491b3af8b7e323da08b453ca708461c0722eafe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp3A75.tmp\_Setup.dll

Filesize
152KB

MD5
028076a4fbf8fa58f18a60e3a5240e0a

SHA1
e88dbf4140ea02b812794158defd9518cbaae76b

SHA256
594820df4a61a930bcbbea6681361b173334ff925e4bcad138d48aaa36bc3b8d

SHA512
698178f9eb18ba9ae7d72168dbf3f803231aff16b2ac3d857105a55439e5ed5ed9190c384a3d5b430a00a87ab7a2ad31120bb9b39569ac6587f46137a0c23d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\data1.hdr

Filesize
17KB

MD5
b38d0856b2a6026566e6a23fbf343fc7

SHA1
52b5d7161ba96b7e24f1ebd18894917774fe9ab4

SHA256
3689ff8282e5bc43006e9611e560099c54cb46600febb8d69fdce185f468679f

SHA512
bc340ca591e1484c4eecf52f8bb05c09f33cb251447256f29b1a2d1c85067e3049707f3a81c27de8ffbf82acc52419d94f09498f8ec84123b615c97dd067e68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\data2.cab

Filesize
612KB

MD5
f4b396937c1ee88d79ecd3f9cabef13a

SHA1
5e79d2fae612ef6e80a1ca7498afb96b2fd039cd

SHA256
e348a5fc37f12dba2e444029d9883d07157fe644bdef53d06efd69a65df6b4dd

SHA512
71e3ad0b270908ff696ec36e61618f15bda6079766443fa5b82324feb5a650d8ba162b32f96986ff0cc9e3b1c63eb7e9ade41bc7bbd776eca982dde4dfd91ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\engine32.cab

Filesize
386KB

MD5
feebebfdb673bba2beca3f83263faaa3

SHA1
6cf32a42b95b3497f2731f2b22136dea9ba69489

SHA256
7a81f54a1f3f087fc2a3d7c25898744a59f189572c979bb8a811a1eb09eec00d

SHA512
f0fc304ad3e69ff013f8a1c8f249a5d6190fc76ea257d4ec7512ef490ce572ca16b2005665361aff59f9968e09c96edc143cf862cb6c194c40b39d528f68b707

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\setup.boot

Filesize
326KB

MD5
b957e3c1f4781fb85d25e56dcad80d21

SHA1
71a116100ce724ddea6e81bf278b664bace6f14f

SHA256
fd4199c6c2156c6bcef909d3f62b23868d7499498311d32ff02302f6aaed9aa7

SHA512
f5ea6a11ad27a68913f22a775df8493e0f75cbfd3ed5020ed3c00b73d5c504e17182ed283793ccc8381d4bc72f1f9cb6448ee1b6b2411945b42ce9a49a47a8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\setup.ini

Filesize
375B

MD5
c83cfde39970d14b22b79c72492bd2c1

SHA1
9c032dd523a98167b208ab39e66f41b0a33e6d3f

SHA256
2f006908a19dd73e72e6ba1507e04b6d346c129a1811a578c96fec19bcf0f59c

SHA512
46a353e4f91100e4f3f32620df52906b55aa00aaaa2584d02bc9a54a8f9c752081a307feb5eb29e076943ed6a0ec5a96d4f612d3efa16301280912e39665b4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft3593.tmp\pftw1.pkg

Filesize
1.6MB

MD5
24dbd11cb73bd757657782c8347ecae6

SHA1
edef0194c57c35ae2b0423d030a0d93b784ea264

SHA256
5dccb458c581198f7da3189894dfb85fa2a88d15dc54a679772261d5c3a39572

SHA512
c32fa70b7e55553fd67feaaf436c4a242fec997b50cf876518512983eb92fed1a3893b04ada1f3ba2bf2640597a13545a274b4c4c30028e301cc930b9d18c929

Download Submit
C:\Users\Admin\AppData\Local\Temp\plf3534.tmp

Filesize
5KB

MD5
cfaec980a3639a6b33704c0db20cb812

SHA1
e9402b1deb9293d51ea7a45ff5aea0f5bff1ea8f

SHA256
55023b00e2c2401272d0ad7b4b633814869483b6d939c5d4910e4ff18eeeee6c

SHA512
72bb65180098c195ea74c7dacf24500d98bbd872149e4247bdc98b3a12fabd2fd6846a61b7d30e610748d49348c347a1cec5939276e3a0b30703aeeb591017b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\set3A17.tmp

Filesize
145KB

MD5
323bff0939ec825e28d947af65a5eda1

SHA1
19c8d64eab423beda776febdffb4fe07036757ff

SHA256
cece9a446492277c62f3eddf049bc57504c5ab77554b7e25377d8e43c7f2c856

SHA512
c62c2e6cc34abe5c618fc3ebea27566d6a7396ccaa753f07e7f2adb3ca404649a167f8a3f1108dfeb1fccf653c186bba0bc6b6e88ff59c1bc350a4e66c1cde18

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iKe3AF6.tmp

Filesize
620KB

MD5
734bfdc5269c9f5d3cb5c70c3b1fb7cd

SHA1
8430a0e5dc8d4b85ff107d176e8c8c9b3ac05dc7

SHA256
cf45dc216ad13041c81911c9c1f5367e17a63e10bdf8065e6e2341cd5e114028

SHA512
625014078f8924aed95d36f3e2276d6568c7d51b5b70865f5a85dc53d12bfc89547550e325cfddec909a678bcf41c79baeb4f12b090e5b2ac81d86918a3b5403

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\isp3A76.tmp\IGdi.dll

Filesize
156KB

MD5
98098911f534ffb8b4b70101dc4ccf86

SHA1
22e40b9f75ad1e1b7340a86d8dc7ccb299e4212a

SHA256
e7b19016e5a2b337728a31998c1a0b3f7a724a323025751c5fcaad6b52e3b31a

SHA512
b35becbf4d9735b87fc67dbfeb316f4c9f0946fabf6341f950aa60a1766b3a102613e7fffde607f7ff5fd5fb6de56dacba52ac65be14e3c79be65d5a991f95b3

Download Submit
\Users\Admin\AppData\Local\Temp\pft3593.tmp\Disk1\setup.exe

Filesize
95KB

MD5
d92301094eedaab094578d63397c8b50

SHA1
a4991b322310eaaa857f1a826a9120c37daba1fe

SHA256
a807f2a847619f728590ab27c8ddfd15d406d08f1a0fb27e1d5ca92e3c247357

SHA512
193369846b4fdfb99b80ad35345eea2df331959e68171eae6a7ad8c12cb9616a8e2d4191797eae82349d6890e45d729ad7160763d973898f2646d3563635e8b8

Download Submit