Overview

overview

6

Static

static

1

setup.exe

windows7-x64

6

setup.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    144s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23/02/2024, 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    3.3MB

  • MD5

    673b7d2b10cd9a444dfceeec4130aa01

  • SHA1

    666e31eb08705845e3d2ee5e4d9f2042ce54833c

  • SHA256

    21865f37dd2347dcda29a3bf2aad9ee884e09e73b70b68dcf4c8ad1f9b278942

  • SHA512

    871bb37375dd1896793308a1f7b0d46bf92e75f16fae924dc5b7038109b1ae8f6fcdad0e8741e3ba2229eec5450490e293fe9ed8cc276a678726dd033ea53a05

  • SSDEEP

    98304:N1FxXqnAum/Er6xfBuLLBGShujM88MsZSYGqwDViz:nFxX8Aum/4qexgo0qSM

Score
6/10
discoveryevasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Kills process with taskkill 7 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Users\Admin\AppData\Local\Temp\is-OFVV0.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OFVV0.tmp\setup.tmp" /SL5="$600EC,2697986,268288,C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\system32\taskkill.exe
        "C:\Windows\system32\taskkill.exe" /F /IM Run_CS2.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
      • C:\Windows\system32\taskkill.exe
        "C:\Windows\system32\taskkill.exe" /F /IM Run_CSGO.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2604
      • C:\Windows\system32\taskkill.exe
        "C:\Windows\system32\taskkill.exe" /F /IM csgo.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2388
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /f /im "Run_CS2.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2512
      • C:\Windows\system32\netsh.exe
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="P2P In" program="C:\Program Files\Counter-Strike Global Offensive\7launcher\tools\aria2\aria2c.exe" dir=in action=allow enable=yes
        3⤵
        • Modifies Windows Firewall
        PID:312
      • C:\Windows\system32\netsh.exe
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="P2P Out" program="C:\Program Files\Counter-Strike Global Offensive\7launcher\tools\aria2\aria2c.exe" dir=out action=allow enable=yes
        3⤵
        • Modifies Windows Firewall
        PID:804
      • C:\Windows\system32\netsh.exe
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Counter-Strike Global Offensive In" program="C:\Program Files\Counter-Strike Global Offensive\csgo.exe" dir=in action=allow enable=yes
        3⤵
        • Modifies Windows Firewall
        PID:2188
      • C:\Windows\system32\netsh.exe
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Counter-Strike Global Offensive Out" program="C:\Program Files\Counter-Strike Global Offensive\csgo.exe" dir=out action=allow enable=yes
        3⤵
        • Modifies Windows Firewall
        PID:440
      • C:\Windows\system32\taskkill.exe
        "C:\Windows\system32\taskkill.exe" /F /IM cls-lolz_x86.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:328
      • C:\Windows\system32\taskkill.exe
        "C:\Windows\system32\taskkill.exe" /F /IM cls-lolz_x64.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1384
      • C:\Windows\system32\taskkill.exe
        "C:\Windows\system32\taskkill.exe" /F /IM xtool.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Counter-Strike Global Offensive\7lcfg_cs2.ini
    Filesize

    160B

    MD5

    da4714d1cfaea9b7addfd6351533e6a3

    SHA1

    cf114bc173f6e014a6437710af1a6a52ac8fffc6

    SHA256

    4f72037f848182133c7ae979aa4dfaee3f39b21938c28670bede74c905e9efa6

    SHA512

    1fad15cac75c4285208b18547ef928e5ddd4e6c798865b14fec6137d90f0af8261d39a07968df21d260a4c519a9c0b57c005a4889e832a9d8504eb54212c1a88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-09FD2.tmp\cls.ini
    Filesize

    598B

    MD5

    8c91f3d2f3576180e9c2aad105d89a3d

    SHA1

    3a2a19cfd772ff094b7e80749037bae1a413e7e8

    SHA256

    c3900619cb3cc5f0854e5c0de7b572522ef89c1f9ba1019d261bf6f23b178ca4

    SHA512

    d1dc002973f54b8e192d5b0562b332879ab48496f2bfeb9154cce187485fbd27129ac5bfbbbc3ef89d19363001f7d76d4760d9090d970b6720ac19c5c6cd350a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-09FD2.tmp\ISDone.dll
    Filesize

    459KB

    MD5

    e5d596903de4973dc6e201529ff042b2

    SHA1

    4b6439ba8f6ab52c23498b790923d9d24a3fa03d

    SHA256

    afd38bf8761aa06908a74a69dc2a5c31bbc6485f2d862da901e04680220dea23

    SHA512

    951e1a86dfde32dc83c1da0bf7551d48dd3572c5b642758b3c5f90336f9a703f3d9fafe25195db4dcbaac64030baeeb80f4d8fdd51645c6956618c7e7cdeee08

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-09FD2.tmp\cls-diskspan.dll
    Filesize

    1.1MB

    MD5

    b4a275ec5ad09069dcb569f8020c7ccb

    SHA1

    8632162e63bd30712275b6245b8344f973465db4

    SHA256

    c86786af639abd74b189d9922797be8b5ac763d162e7566b1877437e2aa377fe

    SHA512

    1276f9e9c284a74bcc8760031cfc263f1d2ae9573e2d5952b09cabe09084a66c603b095a2fb8baa3791606e2443b7cba88a451dcc36005781163563fd7bce39f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-OFVV0.tmp\setup.tmp
    Filesize

    1.3MB

    MD5

    5387623ad877ef153fe604fbcaa67c6f

    SHA1

    207bde42f2b60fad94906dbd6b0eeaff56345b24

    SHA256

    2a6cecb802016f8c6edcc86d24eecc0da373cf620b2f70c4bafa7ca357dcc2df

    SHA512

    85d3824079c95ac3d0a9435199a30659a0a78a132fa681f66acf6d117cb5fa26df4e9c9a659ece07d12de57c19eeafc7a01855d5d3c868f3b88bbe5a1ea2a159

    Download Submit

  • memory/2912-19-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2912-1-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3012-12-0x0000000002E90000-0x0000000002F07000-memory.dmp

    Filesize

    476KB

    Download

  • memory/3012-20-0x0000000000400000-0x0000000000552000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3012-21-0x0000000002E90000-0x0000000002F07000-memory.dmp

    Filesize

    476KB

    Download

  • memory/3012-22-0x0000000003010000-0x0000000003137000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3012-16-0x0000000003010000-0x0000000003137000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3012-8-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-66-0x0000000002E90000-0x0000000002F07000-memory.dmp

    Filesize

    476KB

    Download

  • memory/3012-65-0x0000000000400000-0x0000000000552000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3012-67-0x0000000003010000-0x0000000003137000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3012-68-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-70-0x0000000000400000-0x0000000000552000-memory.dmp

    Filesize

    1.3MB

    Download