006c3e59e32dc5f56cfa6b911e4e4fc171d681e614f3ec48edf232460814d31f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AppSetup.exe
Size

446KB
MD5

485008b43f0edceba0e0d3ca04bc1c1a
SHA1

55ae8f105af415bb763d1b87f6572f078052877c
SHA256

12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10
SHA512

402652786daae635c7405f5fa0924d768cbde2086f9f57b10f00f921dec98e37168f5c3a6baa5593ba9a478f3971d32747c517ffd485d25634c924e6b08815b1
SSDEEP

12288:vK5+DMJA3TAz4plk9iZOOti81N5y1qMIg+GV5Zul3M:y5+DMJA3TAz4plk9ijK1qlGV7ulM

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2876 set thread context of 560	2876	AppSetup.exe	90

Loads dropped DLL 1 IoCs

pid	Process
2524	RarExt32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2876	AppSetup.exe
2876	AppSetup.exe
560	cmd.exe
560	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2876	AppSetup.exe
560	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 560	2876	AppSetup.exe	90
PID 2876 wrote to memory of 560	2876	AppSetup.exe	90
PID 2876 wrote to memory of 560	2876	AppSetup.exe	90
PID 2876 wrote to memory of 560	2876	AppSetup.exe	90
PID 560 wrote to memory of 2524	560	cmd.exe	98
PID 560 wrote to memory of 2524	560	cmd.exe	98
PID 560 wrote to memory of 2524	560	cmd.exe	98
PID 560 wrote to memory of 2524	560	cmd.exe	98
PID 560 wrote to memory of 2524	560	cmd.exe	98
PID 560 wrote to memory of 2524	560	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\AppSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AppSetup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Users\Admin\AppData\Local\Temp\RarExt32.exe
    C:\Users\Admin\AppData\Local\Temp\RarExt32.exe
    3⤵
    - Loads dropped DLL
    PID:2524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8a816bf5

Filesize
655KB

MD5
857b87d0502e0bd832e5821e11725f5c

SHA1
f7aee8813bfc4725f4903cefcefc3e987124f39b

SHA256
482b528a58ee4eb1c2f266ae4d4aa3c197b0e2e4e6c0b5e8507b9ccae288681f

SHA512
7201378a718c7a1ec2711c1d05c026cd4a516a428457a2b2be5f89dce48730473b530c216c983385a1ff4639aa4d795e04ccec56c716ffcb852dfe55f8a69525

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarExt32.exe

Filesize
750KB

MD5
f566af2bb0bb3be340dd7239163d8c9e

SHA1
fd891e25413b31d58e0b96288704606f535183e1

SHA256
fba6f7d8ba6b37b17266e8cb3e201ad0914c4a7b3f883ba954ed6d222f4268bc

SHA512
7d85bab7fde596c52ffc5fe7fc3b4c022b5ed97149239932070135868c341b641350c8f2f099e9e5a5a17299fdc452f4919d85dba13b282fa6a1d3fb3481b342

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarExt32.exe

Filesize
694KB

MD5
de1a0058728dc3a3f16d833f7153e433

SHA1
1b400fac629d9d6f8827adcf24b55d31f30a0d2e

SHA256
ca7fe83b563a875a8e67e0cf67bb7f8f8db17c81ef32a938abedbc299f771111

SHA512
c192869368878d160f0fcfeb958d70a826a56e8c68167d02a1a21801aa13d0ef71b5abedbfb4b6c6e75a01b2ff6dc9ba1fb16e82c6795ea7c1e3b79ef1f423d2

Download Submit
memory/560-15-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/560-20-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/560-10-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/560-12-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/560-14-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/2524-22-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-25-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2524-38-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2524-37-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2524-36-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2524-29-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2524-28-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2524-27-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2524-26-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2524-35-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2524-24-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2524-30-0x00000000008B0000-0x0000000000933000-memory.dmp

Filesize
524KB

Download
memory/2524-32-0x00000000008B0000-0x0000000000933000-memory.dmp

Filesize
524KB

Download
memory/2524-33-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2524-34-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2876-8-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/2876-0-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/2876-1-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2876-7-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download