Analysis
-
max time kernel
127s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-02-2024 07:10
Static task
static1
Behavioral task
behavioral1
Sample
ea5ce8eb2a03e0aa77e2055061a3f2916952a32b578822707fde0818900653fc.zip
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ea5ce8eb2a03e0aa77e2055061a3f2916952a32b578822707fde0818900653fc.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win7-20240221-en
General
-
Target
Setup.exe
-
Size
202KB
-
MD5
64179e64675e822559cac6652298bdfc
-
SHA1
cceed3b2441146762512918af7bf7f89fb055583
-
SHA256
c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
-
SHA512
ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
-
SSDEEP
3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid Process procid_target PID 2392 set thread context of 2580 2392 Setup.exe 29 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1720 2580 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.execmd.exepid Process 2392 Setup.exe 2392 Setup.exe 2580 cmd.exe 2580 cmd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Setup.exepid Process 2392 Setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Setup.execmd.exedescription pid Process procid_target PID 2392 wrote to memory of 2580 2392 Setup.exe 29 PID 2392 wrote to memory of 2580 2392 Setup.exe 29 PID 2392 wrote to memory of 2580 2392 Setup.exe 29 PID 2392 wrote to memory of 2580 2392 Setup.exe 29 PID 2392 wrote to memory of 2580 2392 Setup.exe 29 PID 2580 wrote to memory of 1720 2580 cmd.exe 31 PID 2580 wrote to memory of 1720 2580 cmd.exe 31 PID 2580 wrote to memory of 1720 2580 cmd.exe 31 PID 2580 wrote to memory of 1720 2580 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1723⤵
- Program crash
PID:1720
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5cbcb008adc08d98cd5934813e06018af
SHA10d80232c8792803aa07b0935f863f1c9e1662f10
SHA25642c9d8e03ebd13e14bb483faf1a62230cf501728e562b3442b02300da27a33f7
SHA51294b10f2960ee35ec1ad3b13b5e23f26941ba353d28efef968a7aba2945e0a29137b9f6bf144b1198328da499072d1b5422ea03d7e1e61d76f999f6bb6e59b5c5