006c3e59e32dc5f56cfa6b911e4e4fc171d681e614f3ec48edf232460814d31f

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/01/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AppSetup.exe
Size

446KB
MD5

485008b43f0edceba0e0d3ca04bc1c1a
SHA1

55ae8f105af415bb763d1b87f6572f078052877c
SHA256

12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10
SHA512

402652786daae635c7405f5fa0924d768cbde2086f9f57b10f00f921dec98e37168f5c3a6baa5593ba9a478f3971d32747c517ffd485d25634c924e6b08815b1
SSDEEP

12288:vK5+DMJA3TAz4plk9iZOOti81N5y1qMIg+GV5Zul3M:y5+DMJA3TAz4plk9ijK1qlGV7ulM

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1216 set thread context of 1652	1216	AppSetup.exe	29

Loads dropped DLL 7 IoCs

pid	Process
1652	cmd.exe
3048	RarExt32.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2584	3048	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1216	AppSetup.exe
1216	AppSetup.exe
1652	cmd.exe
1652	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1216	AppSetup.exe
1652	cmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1652	1216	AppSetup.exe	29
PID 1216 wrote to memory of 1652	1216	AppSetup.exe	29
PID 1216 wrote to memory of 1652	1216	AppSetup.exe	29
PID 1216 wrote to memory of 1652	1216	AppSetup.exe	29
PID 1216 wrote to memory of 1652	1216	AppSetup.exe	29
PID 1652 wrote to memory of 3048	1652	cmd.exe	31
PID 1652 wrote to memory of 3048	1652	cmd.exe	31
PID 1652 wrote to memory of 3048	1652	cmd.exe	31
PID 1652 wrote to memory of 3048	1652	cmd.exe	31
PID 1652 wrote to memory of 3048	1652	cmd.exe	31
PID 1652 wrote to memory of 3048	1652	cmd.exe	31
PID 3048 wrote to memory of 2584	3048	RarExt32.exe	32
PID 3048 wrote to memory of 2584	3048	RarExt32.exe	32
PID 3048 wrote to memory of 2584	3048	RarExt32.exe	32
PID 3048 wrote to memory of 2584	3048	RarExt32.exe	32
PID 1652 wrote to memory of 3048	1652	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\AppSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AppSetup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\RarExt32.exe
    C:\Users\Admin\AppData\Local\Temp\RarExt32.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 88
      4⤵
      Loads dropped DLL
      Program crash
      PID:2584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\937cf8fd

Filesize
1.9MB

MD5
7ad0e1ffb70443cb03ea9793b494772f

SHA1
0271de222bef074d5a2a4d5317cda627e9c29395

SHA256
32cc421c480695c7b92dab52b6e72734e966e495be947a1c34af111521dac05d

SHA512
74a3a96a9526e44cc49e67328732fcc606972e4f7d5adc7a63e79ee040a5bacf1bb84fa34306ad0bcdd2c7eeb6451f0f387f4bf8d549b7985a6d5bac5be6f0bf

Download Submit
\Users\Admin\AppData\Local\Temp\RarExt32.exe

Filesize
750KB

MD5
f566af2bb0bb3be340dd7239163d8c9e

SHA1
fd891e25413b31d58e0b96288704606f535183e1

SHA256
fba6f7d8ba6b37b17266e8cb3e201ad0914c4a7b3f883ba954ed6d222f4268bc

SHA512
7d85bab7fde596c52ffc5fe7fc3b4c022b5ed97149239932070135868c341b641350c8f2f099e9e5a5a17299fdc452f4919d85dba13b282fa6a1d3fb3481b342

Download Submit
memory/1216-0-0x00000000749B0000-0x0000000074B24000-memory.dmp

Filesize
1.5MB

Download
memory/1216-1-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/1216-7-0x00000000749B0000-0x0000000074B24000-memory.dmp

Filesize
1.5MB

Download
memory/1216-8-0x00000000749B0000-0x0000000074B24000-memory.dmp

Filesize
1.5MB

Download
memory/1652-15-0x00000000749B0000-0x0000000074B24000-memory.dmp

Filesize
1.5MB

Download
memory/1652-14-0x00000000749B0000-0x0000000074B24000-memory.dmp

Filesize
1.5MB

Download
memory/1652-12-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/1652-10-0x00000000749B0000-0x0000000074B24000-memory.dmp

Filesize
1.5MB

Download
memory/1652-22-0x00000000749B0000-0x0000000074B24000-memory.dmp

Filesize
1.5MB

Download
memory/3048-20-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3048-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3048-24-0x0000000000080000-0x0000000000103000-memory.dmp

Filesize
524KB

Download
memory/3048-30-0x0000000000080000-0x0000000000103000-memory.dmp

Filesize
524KB

Download
memory/3048-32-0x0000000000080000-0x0000000000103000-memory.dmp

Filesize
524KB

Download