bbefa95a5194c60e8593d0e3fda41a3069dcea56cc9b1d29a7d3ba66cca5fe91

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

439KB
MD5

b2a7bbc9d57498e48ed0cecb6670d3d4
SHA1

ad5269cd497614f5ac7686940409d7facb7110b5
SHA256

a0e035c9aa85d60dee7fcbd03d53afc7fad64923009994d378112d7d67f0e902
SHA512

536ca585d0fba42ebcdfb4c1ed1428fdb7f5598dcc21c365f238bef8b969d66381ba7857b71710b634d59e097c98e2f50fd91dd8b95fdd92c979d0185fb6687e
SSDEEP

12288:iY7winUJbTMxsre/5eLbCr3L3B6enmRpKNG6eG:3hUJTte/5p5EeYG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2248	is-1HTAF.tmp

Loads dropped DLL 3 IoCs

pid	Process
2184	setup.exe
2248	is-1HTAF.tmp
2248	is-1HTAF.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2248	is-1HTAF.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2248	2184	setup.exe	28
PID 2184 wrote to memory of 2248	2184	setup.exe	28
PID 2184 wrote to memory of 2248	2184	setup.exe	28
PID 2184 wrote to memory of 2248	2184	setup.exe	28
PID 2184 wrote to memory of 2248	2184	setup.exe	28
PID 2184 wrote to memory of 2248	2184	setup.exe	28
PID 2184 wrote to memory of 2248	2184	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\is-IJ32Q.tmp\is-1HTAF.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IJ32Q.tmp\is-1HTAF.tmp" /SL4 $30146 C:\Users\Admin\AppData\Local\Temp\setup.exe 231704 50688
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-0TF6D.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IJ32Q.tmp\is-1HTAF.tmp

Filesize
592KB

MD5
34eafa22ea917a31d314eff4224097f4

SHA1
005b5f236dcb26d21d7ee96eaf5cd45fac21c5cd

SHA256
b8cca55558a4af82cded8ae413241d82e828bf6402d77278d157424d870a75f8

SHA512
651c6ac7d4b695a91f1ac4a81115dd8a999dfe6ee1165499b59200b3146b19e0642372f8a04f8556900560e4c88b6d7cb962147bcaf2d0068db0abed4db295b3

Download Submit
memory/2184-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2184-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2248-15-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download