21865f37dd2347dcda29a3bf2aad9ee884e09e73b70b68dcf4c8ad1f9b278942

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

3.3MB
MD5

673b7d2b10cd9a444dfceeec4130aa01
SHA1

666e31eb08705845e3d2ee5e4d9f2042ce54833c
SHA256

21865f37dd2347dcda29a3bf2aad9ee884e09e73b70b68dcf4c8ad1f9b278942
SHA512

871bb37375dd1896793308a1f7b0d46bf92e75f16fae924dc5b7038109b1ae8f6fcdad0e8741e3ba2229eec5450490e293fe9ed8cc276a678726dd033ea53a05
SSDEEP

98304:N1FxXqnAum/Er6xfBuLLBGShujM88MsZSYGqwDViz:nFxX8Aum/4qexgo0qSM

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
632	setup.tmp

Loads dropped DLL 4 IoCs

pid	Process
632	setup.tmp
632	setup.tmp
632	setup.tmp
632	setup.tmp

Kills process with taskkill 3 IoCs

evasion

pid	Process
1208	taskkill.exe
3344	taskkill.exe
4512	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 632	4600	setup.exe	88
PID 4600 wrote to memory of 632	4600	setup.exe	88
PID 4600 wrote to memory of 632	4600	setup.exe	88
PID 632 wrote to memory of 1208	632	setup.tmp	94
PID 632 wrote to memory of 1208	632	setup.tmp	94
PID 632 wrote to memory of 3344	632	setup.tmp	97
PID 632 wrote to memory of 3344	632	setup.tmp	97
PID 632 wrote to memory of 4512	632	setup.tmp	99
PID 632 wrote to memory of 4512	632	setup.tmp	99

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\is-74664.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-74664.tmp\setup.tmp" /SL5="$A0066,2697986,268288,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /F /IM Run_CS2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /F /IM Run_CSGO.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3344
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /F /IM csgo.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-74664.tmp\setup.tmp

Filesize
1.3MB

MD5
5387623ad877ef153fe604fbcaa67c6f

SHA1
207bde42f2b60fad94906dbd6b0eeaff56345b24

SHA256
2a6cecb802016f8c6edcc86d24eecc0da373cf620b2f70c4bafa7ca357dcc2df

SHA512
85d3824079c95ac3d0a9435199a30659a0a78a132fa681f66acf6d117cb5fa26df4e9c9a659ece07d12de57c19eeafc7a01855d5d3c868f3b88bbe5a1ea2a159

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VG0QC.tmp\ISDone.dll

Filesize
459KB

MD5
e5d596903de4973dc6e201529ff042b2

SHA1
4b6439ba8f6ab52c23498b790923d9d24a3fa03d

SHA256
afd38bf8761aa06908a74a69dc2a5c31bbc6485f2d862da901e04680220dea23

SHA512
951e1a86dfde32dc83c1da0bf7551d48dd3572c5b642758b3c5f90336f9a703f3d9fafe25195db4dcbaac64030baeeb80f4d8fdd51645c6956618c7e7cdeee08

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VG0QC.tmp\cls-diskspan.dll

Filesize
1.1MB

MD5
b4a275ec5ad09069dcb569f8020c7ccb

SHA1
8632162e63bd30712275b6245b8344f973465db4

SHA256
c86786af639abd74b189d9922797be8b5ac763d162e7566b1877437e2aa377fe

SHA512
1276f9e9c284a74bcc8760031cfc263f1d2ae9573e2d5952b09cabe09084a66c603b095a2fb8baa3791606e2443b7cba88a451dcc36005781163563fd7bce39f

Download Submit
memory/632-29-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/632-23-0x0000000003380000-0x00000000033F7000-memory.dmp

Filesize
476KB

Download
memory/632-12-0x0000000003380000-0x00000000033F7000-memory.dmp

Filesize
476KB

Download
memory/632-38-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/632-18-0x0000000003500000-0x0000000003627000-memory.dmp

Filesize
1.2MB

Download
memory/632-33-0x0000000003500000-0x0000000003627000-memory.dmp

Filesize
1.2MB

Download
memory/632-22-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/632-6-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/632-24-0x0000000003500000-0x0000000003627000-memory.dmp

Filesize
1.2MB

Download
memory/632-32-0x0000000003380000-0x00000000033F7000-memory.dmp

Filesize
476KB

Download
memory/4600-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4600-21-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4600-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4600-40-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download