4bbb6021ab01478496202bc0cfb7527b068a621093a823c8d02e696da8b6decb

Analysis

max time kernel
123s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

9.4MB
MD5

0d5f882ff265554df34ebde89e0a897d
SHA1

8090c510c3838939d4a9015f06527ab8dc46c9b8
SHA256

75df21afcc97aa8efcbc43739d487d045e245aef351847faea4828da030d4feb
SHA512

8995ec060cb5fd62b4419bab73ad0d566e583c78020b87b9abf61bbfb902ecc0232ce7073f37fabd26dde9f83a049a388048377ee72172a98a53f335e1ab31af
SSDEEP

196608:xLWzSggC9iULjRagqE5RJZhvcajHt1WLA62DW9NNGfJxA639zOx:NWmMNL1rq6RJZF/jH2A6PNNc3Mx

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2112	Setup.exe
2112	Setup.exe
2112	Setup.exe
2112	Setup.exe
2112	Setup.exe
2112	Setup.exe
2112	Setup.exe
2112	Setup.exe
2112	Setup.exe
2112	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2112	Setup.exe
2112	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1604	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1604	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x41c 0x3c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsn4140.tmp\AdvSplash.dll

Filesize
6KB

MD5
416dd1f9853a601f16c70ee016ee855f

SHA1
226a5aa251118f5e337d22017dd0861f2d8b21d3

SHA256
2cf08655bd37f2999612ced3b79d35b537e2b0cd281bb1f452c427879634e7de

SHA512
27e104a657eaed4cc8f58588385af6354d41785df98c8fc02eb436cb4372e3c0047ec28eab5ab37ef70ddca46fc9cf1cc86fc0d95267fff759ae7e610b5f8d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4140.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4140.tmp\InstallOptions.dll

Filesize
12KB

MD5
43ba71f370a45aebcde86d76b83b208c

SHA1
1f14e3c253a5b7255b617084b45e51ef9d6717e4

SHA256
6d0a19614efb523f78477429df04b71459ee69b3d16231798dcfa539b3d2a64c

SHA512
36aaf1ccb7c1085ba9fbacbad6c1505c9e389be5e9bd52ee7046b48302b8239d6e34dfeeb32a2708c4fb7d5a85c1d202fbdabcdd6a2cced0099249640443b551

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4140.tmp\System.dll

Filesize
10KB

MD5
0c8ea8e6637bbf8408104e672d78ba45

SHA1
c231c7acaf9abb7da93f28e1b71bed164d57103e

SHA256
509a93177a7ae130bc3b6b5ec3236c7aa0811b8b86f8ab3442c65fdf8ff85b1f

SHA512
ee763a3cdbbba3b28e6a903ac942c7228bd8e54b19de21d6187e481f2916d833d9b9800e5ac2998f4aa26274cdfb20a8bfdd10f00f2a15d37bcc529b617e1f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4140.tmp\ioSpecial.ini

Filesize
601B

MD5
dcbbe2a2e2fa85df98fe4c0d32e35700

SHA1
73a183334ec7bb501643ac7c1fa28fbb47dd0f61

SHA256
04260c80d6372524abbcf21140736f660e768d7034e1d48a41ed71303d2c71f0

SHA512
a233b08c8ba1f2e25b6eb811231c47c9ca4856d674133c4ea0554532930a383f6bed929caeaf05f459d87ccb0778683433f5383cd05ca330490c49e65046cb11

Download Submit