7b1cf1979579775f48e8d20974753453f75963b3094d3b95519d9362e943dbbb

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

farlab_setup.exe
Size

1.7MB
MD5

a7703240793e447ec11f535e808d2096
SHA1

913af985f540dab68be0cdf999f6d7cb52d5be96
SHA256

6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f
SHA512

57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e
SSDEEP

49152:C9CKxz5eM8JvooqXrFzYA8hVU2AGm63yjpGIcLJjmyGpf8:MCm5eMOooqhomhjrcLS8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1968	farlab_setup.tmp
2728	farlab_setup.tmp

Loads dropped DLL 8 IoCs

pid	Process
1044	farlab_setup.exe
1968	farlab_setup.tmp
1968	farlab_setup.tmp
1968	farlab_setup.tmp
2180	farlab_setup.exe
2728	farlab_setup.tmp
2728	farlab_setup.tmp
2728	farlab_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2728	farlab_setup.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1968	1044	farlab_setup.exe	19
PID 1044 wrote to memory of 1968	1044	farlab_setup.exe	19
PID 1044 wrote to memory of 1968	1044	farlab_setup.exe	19
PID 1044 wrote to memory of 1968	1044	farlab_setup.exe	19
PID 1044 wrote to memory of 1968	1044	farlab_setup.exe	19
PID 1044 wrote to memory of 1968	1044	farlab_setup.exe	19
PID 1044 wrote to memory of 1968	1044	farlab_setup.exe	19
PID 1968 wrote to memory of 2180	1968	farlab_setup.tmp	17
PID 1968 wrote to memory of 2180	1968	farlab_setup.tmp	17
PID 1968 wrote to memory of 2180	1968	farlab_setup.tmp	17
PID 1968 wrote to memory of 2180	1968	farlab_setup.tmp	17
PID 1968 wrote to memory of 2180	1968	farlab_setup.tmp	17
PID 1968 wrote to memory of 2180	1968	farlab_setup.tmp	17
PID 1968 wrote to memory of 2180	1968	farlab_setup.tmp	17
PID 2180 wrote to memory of 2728	2180	farlab_setup.exe	18
PID 2180 wrote to memory of 2728	2180	farlab_setup.exe	18
PID 2180 wrote to memory of 2728	2180	farlab_setup.exe	18
PID 2180 wrote to memory of 2728	2180	farlab_setup.exe	18
PID 2180 wrote to memory of 2728	2180	farlab_setup.exe	18
PID 2180 wrote to memory of 2728	2180	farlab_setup.exe	18
PID 2180 wrote to memory of 2728	2180	farlab_setup.exe	18

C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
"C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\is-6Q4JK.tmp\farlab_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6Q4JK.tmp\farlab_setup.tmp" /SL5="$4014E,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1968

C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
"C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\is-6B1BH.tmp\farlab_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6B1BH.tmp\farlab_setup.tmp" /SL5="$5009A,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-4J9B4.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6B1BH.tmp\farlab_setup.tmp

Filesize
361KB

MD5
aaafdc8e47c74909d5ea857feb5d61d7

SHA1
db756576a7b841edd091f94156b8a0cc0b84d972

SHA256
5132ab0474e824bb39578647906d64076c4ec4a87d08b56b038f67c51d10ba25

SHA512
f5b7ec7f9e82bc0baedfb03d6c99de1648cac9d9e52a15a0fed29bd33bab451004f09f77039829fceb51429cd86ac47389a935eb23a670ddeb7465b3386ebe00

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6B1BH.tmp\farlab_setup.tmp

Filesize
264KB

MD5
d2f28473aa815218c24d45e11c03b3ab

SHA1
43677d1d8fbbe2a74ca4dc27a2e564ae0fa05b9e

SHA256
99362f571b67c4926f80d8d1ccf899284d05849c63e2d41aa4fe70d8192e05c9

SHA512
110548bb405c949824453740dd94d1c014ed3dec5c65844b758e90aed264b45ca7dae2243f8cd0f3f1271bcf5ce802d7b696509637a5e15f2b5691d377390ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6Q4JK.tmp\farlab_setup.tmp

Filesize
13KB

MD5
85ea9e2916b47b7a3c3410dc897d4523

SHA1
e128a6d93f5b41f8a6f91972c2d3975549c199bb

SHA256
3557e8c19aa948b87e0eca7680be55e7e77ea6f4ca85eaec1642b4a03fdcfb8f

SHA512
d9ed5878b9c8f3d61626e9d888a3db17740667f58674211e545cb20a54e7d180caf6929d46fa0af75827ca076120c9a03a901049ce104be0d091ba0aca379cbe

Download Submit
\Users\Admin\AppData\Local\Temp\is-4J9B4.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-4J9B4.tmp\idp.dll

Filesize
201KB

MD5
9ae962a91bd121476279874a04ee4cf7

SHA1
989277b8ae40b8dd093355a280c924b9a9325b9f

SHA256
b23585f84a28261ea718e40ed906a1f3a08a9d295312fc40e581b8434d2b56b6

SHA512
f887ef2c5e56464391109ea973bd7453b58dd616589fee152dee26c47e4f81f6b0b08806afe4b6d03e2247a17541eb53b99876aa897cdecd37d7c712f78e07b5

Download Submit
\Users\Admin\AppData\Local\Temp\is-6B1BH.tmp\farlab_setup.tmp

Filesize
165KB

MD5
0e2c8f52cc8c422256ce8e85bc02b87c

SHA1
7985bd5fc479f907d5e202ccec81fb0c0d598537

SHA256
d06ee8f7e2bd27ae8e6bfc0e1f7ee4b7dd7f196dc0ecb2da5acd1f3825deb570

SHA512
b1cac91309bf5ff2fbddb089d5f802876b581e5f72704426034159856fcdd676709ef3566124555d831052470e4822a7e2c5aaead3b7738bbd316f8c4d505d4f

Download Submit
\Users\Admin\AppData\Local\Temp\is-6Q4JK.tmp\farlab_setup.tmp

Filesize
5KB

MD5
78d3e17a86e82c15e14f52a5812291ac

SHA1
78cda7755c1d2444675114a725b8b9dbe7184e07

SHA256
a42ab7bbaefd9c21a60f088c12cf52807b0cfdcdb2d0e251668695030a8c5e80

SHA512
5501f2242d1af5ef2ed2a7988de6f046e0addb0c7ea45ad93f38752247cf35342b10d8f2de46128f6a6ee4569b8f3a3fbd29ca225ddece0b6ea5083aa95d14e3

Download Submit
\Users\Admin\AppData\Local\Temp\is-O0L7U.tmp\idp.dll

Filesize
95KB

MD5
2497620fa4e61df6e43b707c720beafc

SHA1
ffbd502fc4adbf92be55581638734e235bc93816

SHA256
ef3f3fa04d82f498fb68d4eff598fdef71a2efda7ead9f3ed52c14238ff23c8f

SHA512
b79b8f82c691d818ef8b2d9e4629e9ef2690f0c8d66eeb0b65485d21f2914f7d45628fac64b9e15237f844f5bb57d462216a53f33d31e7e03035bf00ce982b0c

Download Submit
memory/1044-43-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1044-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1968-41-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1968-10-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2180-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2180-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2180-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-33-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2728-45-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2728-48-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download