Analysis
-
max time kernel
146s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-02-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
lSetup.exe
Resource
win7-20240221-en
General
-
Target
lSetup.exe
-
Size
202KB
-
MD5
64179e64675e822559cac6652298bdfc
-
SHA1
cceed3b2441146762512918af7bf7f89fb055583
-
SHA256
c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
-
SHA512
ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
-
SSDEEP
3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
lSetup.exedescription pid Process procid_target PID 2372 set thread context of 2604 2372 lSetup.exe 28 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2724 2604 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
lSetup.execmd.exepid Process 2372 lSetup.exe 2372 lSetup.exe 2604 cmd.exe 2604 cmd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
lSetup.exepid Process 2372 lSetup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
lSetup.execmd.exedescription pid Process procid_target PID 2372 wrote to memory of 2604 2372 lSetup.exe 28 PID 2372 wrote to memory of 2604 2372 lSetup.exe 28 PID 2372 wrote to memory of 2604 2372 lSetup.exe 28 PID 2372 wrote to memory of 2604 2372 lSetup.exe 28 PID 2372 wrote to memory of 2604 2372 lSetup.exe 28 PID 2604 wrote to memory of 2724 2604 cmd.exe 30 PID 2604 wrote to memory of 2724 2604 cmd.exe 30 PID 2604 wrote to memory of 2724 2604 cmd.exe 30 PID 2604 wrote to memory of 2724 2604 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\lSetup.exe"C:\Users\Admin\AppData\Local\Temp\lSetup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1723⤵
- Program crash
PID:2724
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD57fd88099181641cba6f7238bab84d5f7
SHA179d04c79fe33b0c47072b9a3cff79a3d36ecee0e
SHA25695f9ddd26f810ae4aec328134d5459494423a171b30957722b4c1bbaebb64ec5
SHA512c7dc64602b17fa3bec5e616fb18fa64d5bd94fc2cfddc0ee04d03038d6d43cb551e68617c8dfd748df81dedcabb2cd441871110ffc268931af9798f81d82f491