89df1eb47e24963acda027076d670844dd2923fdd76546046afba32ab783cb6c

Resubmissions

07-03-2024 15:06

240307-sg3jhseb28 10

Analysis

max time kernel
145s
max time network
46s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CBackupSetup.exe
Size

33.6MB
MD5

b4f13a3078b128a011d436fa28bcd88d
SHA1

fd52af5b2f757fd4714ab67c6168d7ad60296457
SHA256

ee36e42b3e50cc6e0ac888250701938e76a6517dbcabda7f8c912a84db5674ae
SHA512

3f0ecf2f3732043a250e2a329ae8e2fe2e48f7bda2a05afc2fe0cc302e902ee5d94cbfcc8316df8aabf255c5675061cd94a8737d5c675ef36de7aa9d5f78aa84
SSDEEP

786432:dUHEO1DiRKnn73T6L7snKbo8g7UW8b7fNsZHDerblSJ9daGFq:dzcn73O7nb3iU9b7e9erJSzs

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2848	CBackupSetup.tmp

Loads dropped DLL 4 IoCs

pid	Process
2832	CBackupSetup.exe
2848	CBackupSetup.tmp
2848	CBackupSetup.tmp
2848	CBackupSetup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2848	CBackupSetup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2848	2832	CBackupSetup.exe	30
PID 2832 wrote to memory of 2848	2832	CBackupSetup.exe	30
PID 2832 wrote to memory of 2848	2832	CBackupSetup.exe	30
PID 2832 wrote to memory of 2848	2832	CBackupSetup.exe	30
PID 2832 wrote to memory of 2848	2832	CBackupSetup.exe	30
PID 2832 wrote to memory of 2848	2832	CBackupSetup.exe	30
PID 2832 wrote to memory of 2848	2832	CBackupSetup.exe	30

C:\Users\Admin\AppData\Local\Temp\CBackupSetup.exe
"C:\Users\Admin\AppData\Local\Temp\CBackupSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\is-VMN89.tmp\CBackupSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VMN89.tmp\CBackupSetup.tmp" /SL5="$7011E,34204878,808448,C:\Users\Admin\AppData\Local\Temp\CBackupSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-6HKSS.tmp\CancelProcess.dll

Filesize
77KB

MD5
4fc3b9fa02324ec58a3cbeaf8331ac30

SHA1
aa0993e820b4cd6807661d243b7967f7f31d7ccd

SHA256
214c0a4a15466a38b0cc7c154e9e2417cf68dc39c730ebc51c7a6b77618bcbee

SHA512
9a199a6b57e5e0c872ed529ab69b28d8c7f61c76fbd19df41e5f5d05ef6227a1177dc237f29529130e4c0e0e8337cecf84228b2002701e53b539791be3837559

Download Submit
\Users\Admin\AppData\Local\Temp\is-6HKSS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VMN89.tmp\CBackupSetup.tmp

Filesize
2.1MB

MD5
55d21b109823dc12ebae53d632934ad2

SHA1
c654f1ca031c17651a2074e267cbb4f697d3d8fb

SHA256
78f0ddf21cfb9c406de582bd489211f238b930a091eabf82bfe02da3f16eb935

SHA512
2a874357de98cc1bb71d69fa5619acede9a0c651fe28305167fcc7ca04c85d75af90d8a3be345dfc15353391d5da6254fa16e3dadcb81f5bc98bdf7c1f07c2de

Download Submit
memory/2832-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2832-19-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2848-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2848-20-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2848-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads