612716cbb8df3f2fc083fdefc03265996d9176663bb0f941daad5a3e52b0fe8a

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MainInstallerAutoEmbedded.exe
Size

796KB
MD5

7fc6bc14a74dc69773587af10132d8c9
SHA1

9d98b268eaa7f4ad208bde39944fdb1ab201e076
SHA256

e288d49f6011dcd3f893e54ceafda9b6b491543966521c483064a7df43e5bdd2
SHA512

a738205fb26bf259e70b1cacfd10f9168d381778ef90a49847b8d332d93b471cbdcf6357a3d2dfb2e41a4666cba98dd9dc2867a20d472636e5fc8080cc073742
SSDEEP

24576:P7yrmq17YLUAl1+O50aT+1bXkS/EZQM7G7ZQ51bmtfWR163i95cVmB:jgbyLV1ILT/ES46S5Bmted6VmB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2376	SetupAuto.exe

Loads dropped DLL 3 IoCs

pid	Process
1992	MainInstallerAutoEmbedded.exe
1992	MainInstallerAutoEmbedded.exe
2376	SetupAuto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral15/files/0x000d0000000122dc-7.dat	nsis_installer_1
behavioral15/files/0x000d0000000122dc-7.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2376	SetupAuto.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2376	1992	MainInstallerAutoEmbedded.exe	28
PID 1992 wrote to memory of 2376	1992	MainInstallerAutoEmbedded.exe	28
PID 1992 wrote to memory of 2376	1992	MainInstallerAutoEmbedded.exe	28
PID 1992 wrote to memory of 2376	1992	MainInstallerAutoEmbedded.exe	28
PID 1992 wrote to memory of 2376	1992	MainInstallerAutoEmbedded.exe	28
PID 1992 wrote to memory of 2376	1992	MainInstallerAutoEmbedded.exe	28
PID 1992 wrote to memory of 2376	1992	MainInstallerAutoEmbedded.exe	28

C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe
"C:\Users\Admin\AppData\Local\Temp\MainInstallerAutoEmbedded.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe
  C:\Users\Admin\AppData\Local\Temp\SetupAuto.exe /PID=0 /NOTIFY=0 /FFR=1 /FFP=0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso36BB.tmp\ioSpecial.ini

Filesize
694B

MD5
a0b1d0e27b35a0e0503fade858bc12e9

SHA1
2ccf9dc90ae426757122447fab9164530b7c700a

SHA256
b921f510251e04f3737ca2647371ce7a3ce7fe34f5db9676df43d7aebb755d48

SHA512
2765fafce812c985046be7fa78fd0cc1b4cff3af2f16038e60995f75599f25d5b128a66dfabb2448aba9729f565234541338901edab2ec6bf0df2da2eb76d59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36BB.tmp\ioSpecial.ini

Filesize
707B

MD5
0ac0fa56593881b588d973aaa7210f92

SHA1
11376301b4cd311dac8a2be9cd651ea20ff05c85

SHA256
c697347daa1e9061f8b8ff81b3ad41e511a9143462f3fb7399b1ada94b841d4d

SHA512
b69e9f7b7d024c7c755e75474cb8fd7eafe077ab9d9b29652831280666bde4645f1ff2937e76140b050d3e0adf24728279eb0a0e29a75b7a02df9824e64f987c

Download Submit
\Users\Admin\AppData\Local\Temp\SetupAuto.exe

Filesize
512KB

MD5
ff0198fd1f59b71c1deec34b6b0b0c07

SHA1
cae622ad91a3bab0996589e3bf905c9d4eeb6059

SHA256
f552d818f17841efb7f06803ecd2479fe5c9b2a0d3c4dad2c9d90b42e2e9d7d5

SHA512
96795276eefcde81b0ad4ac85f4aaec368cb93bd9e9912c343316912f1502f3a22d845af3ba75ea5aa92b1936028558d48c11a77d331d49bd77f58b886868ccc

Download Submit
\Users\Admin\AppData\Local\Temp\nso36BB.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nst35A2.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit