Overview
overview
7Static
static
3Disk1/ISSetup.dll
windows7-x64
1Disk1/ISSetup.dll
windows10-2004-x64
1DotNetInstaller.exe
windows7-x64
1DotNetInstaller.exe
windows10-2004-x64
1IScript.dll
windows7-x64
1IScript.dll
windows10-2004-x64
1IUser.dll
windows7-x64
1IUser.dll
windows10-2004-x64
1ctor.dll
windows7-x64
1ctor.dll
windows10-2004-x64
1ikernel.dll
windows7-x64
1ikernel.dll
windows10-2004-x64
1objectps.dll
windows7-x64
1objectps.dll
windows10-2004-x64
1Disk1/setup.exe
windows7-x64
4Disk1/setup.exe
windows10-2004-x64
4Manuals/OR...es.pdf
windows7-x64
1Manuals/OR...es.pdf
windows10-2004-x64
1Manuals/V9...al.pdf
windows7-x64
1Manuals/V9...al.pdf
windows10-2004-x64
1Support/vc...86.exe
windows7-x64
7Support/vc...86.exe
windows10-2004-x64
7Analysis
-
max time kernel
92s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 15:11
Static task
static1
Behavioral task
behavioral1
Sample
Disk1/ISSetup.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Disk1/ISSetup.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
DotNetInstaller.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
DotNetInstaller.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
IScript.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
IScript.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
IUser.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
IUser.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
ctor.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
ctor.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
ikernel.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
ikernel.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
objectps.dll
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
objectps.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
Disk1/setup.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
Disk1/setup.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
Manuals/ORTEC File Structures.pdf
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
Manuals/ORTEC File Structures.pdf
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
Manuals/V9 Users Manual.pdf
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
Manuals/V9 Users Manual.pdf
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
Support/vc_redist.x86.exe
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
Support/vc_redist.x86.exe
Resource
win10v2004-20231215-en
General
-
Target
Disk1/setup.exe
-
Size
929KB
-
MD5
2cc9103dfdf1e8a5db13f0915a9416de
-
SHA1
da0ad0f88a26e31846e9df040e470d70f5d699e7
-
SHA256
f0a02d3ace10af6507f29e56b7c6e5f4eeb643f809baa2eb2a44ce08ce66e290
-
SHA512
6024b0ef569aa82b0ed18a2552ad141fc8340b9a462388292fba103e18a2462fb78fc79a82fb7d247c2a15a8f5e7eb4d21c597ea54c03a428d945754d2f02ba8
-
SSDEEP
12288:9p5e7e1f+jY849fxuBa5kVDIyb496sxhFSOQ2gqIKXH62t:9pA7e1jwD9bEtFSOQCIaHlt
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 7 IoCs
Processes:
setup.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exepid process 3520 setup.exe 3000 ISBEW64.exe 4536 ISBEW64.exe 2592 ISBEW64.exe 2844 ISBEW64.exe 3156 ISBEW64.exe 3112 ISBEW64.exe -
Loads dropped DLL 4 IoCs
Processes:
setup.exepid process 3520 setup.exe 3520 setup.exe 3520 setup.exe 3520 setup.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cf4f6141e81f6580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cf4f6140000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005cf4f614000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5cf4f614000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cf4f61400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
vssvc.exesrtasks.exedescription pid process Token: SeBackupPrivilege 4540 vssvc.exe Token: SeRestorePrivilege 4540 vssvc.exe Token: SeAuditPrivilege 4540 vssvc.exe Token: SeBackupPrivilege 3008 srtasks.exe Token: SeRestorePrivilege 3008 srtasks.exe Token: SeSecurityPrivilege 3008 srtasks.exe Token: SeTakeOwnershipPrivilege 3008 srtasks.exe Token: SeBackupPrivilege 3008 srtasks.exe Token: SeRestorePrivilege 3008 srtasks.exe Token: SeSecurityPrivilege 3008 srtasks.exe Token: SeTakeOwnershipPrivilege 3008 srtasks.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
setup.exesetup.exedescription pid process target process PID 3924 wrote to memory of 3520 3924 setup.exe setup.exe PID 3924 wrote to memory of 3520 3924 setup.exe setup.exe PID 3924 wrote to memory of 3520 3924 setup.exe setup.exe PID 3520 wrote to memory of 3000 3520 setup.exe ISBEW64.exe PID 3520 wrote to memory of 3000 3520 setup.exe ISBEW64.exe PID 3520 wrote to memory of 4536 3520 setup.exe ISBEW64.exe PID 3520 wrote to memory of 4536 3520 setup.exe ISBEW64.exe PID 3520 wrote to memory of 2592 3520 setup.exe ISBEW64.exe PID 3520 wrote to memory of 2592 3520 setup.exe ISBEW64.exe PID 3520 wrote to memory of 2844 3520 setup.exe ISBEW64.exe PID 3520 wrote to memory of 2844 3520 setup.exe ISBEW64.exe PID 3520 wrote to memory of 3156 3520 setup.exe ISBEW64.exe PID 3520 wrote to memory of 3156 3520 setup.exe ISBEW64.exe PID 3520 wrote to memory of 3112 3520 setup.exe ISBEW64.exe PID 3520 wrote to memory of 3112 3520 setup.exe ISBEW64.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Disk1\setup.exe"C:\Users\Admin\AppData\Local\Temp\Disk1\setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{354FDF9B-EA62-4506-8523-42049B956E46}\setup.exeC:\Users\Admin\AppData\Local\Temp\{354FDF9B-EA62-4506-8523-42049B956E46}\setup.exe -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{354FDF9B-EA62-4506-8523-42049B956E46}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\Disk1\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7EC79C65-F43C-42E4-9A99-3F956D035AFF}3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F51AF12B-A966-4495-9918-2D2A081AD5C4}3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{115A0311-A566-4FB1-8E56-A12DA252A8E7}3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49018005-440C-4129-94A1-EC2FBA6B7998}3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7823D6EA-8A9F-402E-A4D0-B5BA20FD7E9E}3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7DAD1938-808E-49DB-89EE-1E83453E77D7}3⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\{354FDF9B-EA62-4506-8523-42049B956E46}\0x0409.iniFilesize
21KB
MD5a108f0030a2cda00405281014f897241
SHA1d112325fa45664272b08ef5e8ff8c85382ebb991
SHA2568b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298
-
C:\Users\Admin\AppData\Local\Temp\{354FDF9B-EA62-4506-8523-42049B956E46}\ISSetup.dllFilesize
1.6MB
MD582785d52aff250d92e6c415a84f3a0cb
SHA1f18d27f5b4fa37fb77f3c24fd96d6075db759580
SHA25689b71ad218a00b8ca87136266d841240dd8d00ad4e8745b28c9a8cf775623937
SHA512decdc14dc3d77bc25a30ac16095a2045b5ccb6fad99fe652e0477ac08524762ed7c3b39fcb2e90ddfd5ef1752f609522d9c6b9794450536761c6195862eb89c2
-
C:\Users\Admin\AppData\Local\Temp\{354FDF9B-EA62-4506-8523-42049B956E46}\setup.exeFilesize
929KB
MD52cc9103dfdf1e8a5db13f0915a9416de
SHA1da0ad0f88a26e31846e9df040e470d70f5d699e7
SHA256f0a02d3ace10af6507f29e56b7c6e5f4eeb643f809baa2eb2a44ce08ce66e290
SHA5126024b0ef569aa82b0ed18a2552ad141fc8340b9a462388292fba103e18a2462fb78fc79a82fb7d247c2a15a8f5e7eb4d21c597ea54c03a428d945754d2f02ba8
-
C:\Users\Admin\AppData\Local\Temp\{354FDF9B-EA62-4506-8523-42049B956E46}\setup.iniFilesize
2KB
MD5a4d19620ead09181c517e06750d91e97
SHA1b0fc15f5fb1c77091a8763b48ccbc2c9e07c59ef
SHA25671ec8da4023db3adeb0ec13102cfe60d89c1a19469f9fad725ec62b6ee38cd12
SHA512491751f8758b111391a3749338472b8be92d34295474c60634a669530ef53e7627e31833195b150b763aad3fa4ba11391b464c3e1f8ebb180025ecabce5f1481
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\ISBEW64.exeFilesize
178KB
MD5fc6b38a02516871ec641e99fb18f448b
SHA158754875d6b068d4c076363531674b5d8164e4dc
SHA2569419696372f4460fdc12d96ecd9f3a9489e9070ccab7cca4b51602c051db31bf
SHA5129a9bb2ad036ba9141fe312ab199ed2eb75bb132f69cb4b1fe98f4daaac8698debf2f72fc4b7969b1386fd849ef857e6861f66b14cf43a86328cfbac3617c6b98
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\{5AD9FC81-F943-4F6C-BDB6-71E1C421C806}\DIFxData.iniFilesize
84B
MD51eb6253dee328c2063ca12cf657be560
SHA146e01bcbb287873cf59c57b616189505d2bb1607
SHA2566bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1
SHA5127c573896abc86d899afbce720690454c06dbfafa97b69bc49b8e0ddec5590ce16f3cc1a30408314db7c4206aa95f5c684a6587ea2da033aecc4f70720fc6189e
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\{5AD9FC81-F943-4F6C-BDB6-71E1C421C806}\FontData.iniFilesize
37B
MD58ce28395a49eb4ada962f828eca2f130
SHA1270730e2969b8b03db2a08ba93dfe60cbfb36c5f
SHA256a7e91b042ce33490353c00244c0420c383a837e73e6006837a60d3c174102932
SHA512bb712043cddbe62b5bfdd79796299b0c4de0883a39f79cd006d3b04a1a2bed74b477df985f7a89b653e20cb719b94fa255fdaa0819a8c6180c338c01f39b8382
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\{5AD9FC81-F943-4F6C-BDB6-71E1C421C806}\_isres_0x0409.dllFilesize
1.8MB
MD5dc1c02e272c281895c0456f358f44378
SHA1cd51129bacc9f463fc0fb09bb38eb89ece916fde
SHA2563782f17b843b4cd3245c8b751d0c23b1b34a24a64a923dbcaefc26e65fe4f69d
SHA5127d1dc68274f164b811acb08334857ab4c3c847daea1724a5ca9d2db7f1f4fff3009b9092fc8c5ccc64e2c8d57babe563d72b3c7f9f64de3c1c02c2e747ec48b5
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\{5AD9FC81-F943-4F6C-BDB6-71E1C421C806}\isrt.dllFilesize
426KB
MD56142481421bd6cc14addf9606137973d
SHA197686f0e3254c3c245256ae280ed36f9457b3ec2
SHA256650d006d2f4f62d740d7d198f7febe201d3f528ee87e089958b5c4e1cd27e748
SHA51221e9bd11b931ba20dff2e30f3301fcb5fc119535a6428c175224e1a35e6c6c14b07f437a416d53787635ce8b8aa042d4dc514beed41b0575591ae79c1592993b
-
C:\Users\Admin\AppData\Local\Temp\{D8920706-3810-45C9-B827-D9DB26403F18}\{5AD9FC81-F943-4F6C-BDB6-71E1C421C806}\setup.inxFilesize
295KB
MD5cc39c98d6ea121e91e585f29a858a18d
SHA1c4515f50e4b1f948ea0816ebefdd0e254ecbbb52
SHA256fa42d001a34a82b25c052bfbceeafbfd3ccd0e856075745dc9086ab43e3a9df1
SHA5120220234921aca2f2ff4e846cd30fa0f0684ac232d85e75e95c2fbc8815f64a8db857cea7ae77fc7ada1b3d44f656e6db0d079e4b6cf78c5996e9c34fe46e9c17
-
memory/3520-74-0x0000000010000000-0x0000000010114000-memory.dmpFilesize
1.1MB
-
memory/3520-76-0x00000000043F0000-0x00000000043F2000-memory.dmpFilesize
8KB
-
memory/3520-81-0x00000000052F0000-0x00000000054B7000-memory.dmpFilesize
1.8MB
-
memory/3520-106-0x0000000010000000-0x0000000010114000-memory.dmpFilesize
1.1MB