Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20231215-en
General
-
Target
setup.exe
-
Size
25.0MB
-
MD5
d9cb6b15ec112ef3f774595bf7dd470f
-
SHA1
59c9419e5c124a0faa61c330ed8b32365c8bcfca
-
SHA256
c31caefe53f3fce951a7676beb1496992e7946346829591ef6e3da4a836d7962
-
SHA512
3ea52db7b4fdc289281fc94e15c60edcf3feb35217f173658f7c0782405afd52389866032803576a83545289486dd123e96b641c2acd8d982ed4ff1d764e4d35
-
SSDEEP
393216:izurZSURipVeO4OI8H/1OmXyv2r+XjxTEXEYCRQdw4a5G7utZ4+sj:iRURQVm4sl26XjxTEP5u4aE7utZ4+a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
setup.tmppid process 2632 setup.tmp -
Loads dropped DLL 1 IoCs
Processes:
setup.exepid process 2084 setup.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2688 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
setup.tmppid process 2632 setup.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2688 taskkill.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
setup.exesetup.tmpdescription pid process target process PID 2084 wrote to memory of 2632 2084 setup.exe setup.tmp PID 2084 wrote to memory of 2632 2084 setup.exe setup.tmp PID 2084 wrote to memory of 2632 2084 setup.exe setup.tmp PID 2084 wrote to memory of 2632 2084 setup.exe setup.tmp PID 2084 wrote to memory of 2632 2084 setup.exe setup.tmp PID 2084 wrote to memory of 2632 2084 setup.exe setup.tmp PID 2084 wrote to memory of 2632 2084 setup.exe setup.tmp PID 2632 wrote to memory of 2688 2632 setup.tmp taskkill.exe PID 2632 wrote to memory of 2688 2632 setup.tmp taskkill.exe PID 2632 wrote to memory of 2688 2632 setup.tmp taskkill.exe PID 2632 wrote to memory of 2688 2632 setup.tmp taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\is-8O3T5.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-8O3T5.tmp\setup.tmp" /SL5="$100150,25324939,778752,C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im tap_speed.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2688
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\is-8O3T5.tmp\setup.tmpFilesize
3.0MB
MD56bbe594c03d4f8383ad9d0476b4ed596
SHA1e3f3c212969ab97ccdc9445458bbb66ab3e25cf4
SHA256d7e85468b8ff287448debaef7add1ee676f0b9bb0b2c59a9edeed9a1bf9430d6
SHA512cdc721c9e262a5d076fad2516badf690647000b487278fea829c981474e746f2bb7d59cc00e233b29de8a463f1b19e1ef59bbeeba6d2493edbbdb75fdfcfdb92
-
memory/2084-0-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/2084-2-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/2084-10-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/2632-8-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2632-11-0x0000000000400000-0x0000000000707000-memory.dmpFilesize
3.0MB
-
memory/2632-14-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB