737b556d3b68ea3bc0ee44dee71e26657802de630e039193e178a4d975c44187

Resubmissions

10/03/2024, 09:40

240310-lnnklshh9t 5

10/03/2024, 09:34

240310-lj5y4ahh2x 10

Analysis

max time kernel
140s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

App.Setap/Setup.exe
Size

53KB
MD5

e5ea5d841cb79942698c4e952a199a29
SHA1

ebe0e313c26f87af8ddf4a5f0fad1a68fc5f59d5
SHA256

8e478da3eff27b1be19a893314927385156a62582d8ceffb5be2c8852aff19d7
SHA512

f3aad0d51939184282327a0ed5544f4a9dc71e6b46409909a11dd440680301b5d5c160d58c9586f68800ac544b6573c8215a0a32c270acf0bc611ebbb219e0c0
SSDEEP

768:LNF2WLAuDeGJiqrmehiVSrmaBP39V5+5CYiUFr3HPxWE2plx:LNS7qjh3rmKPND+5C7UdPxg

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2684	2172	Setup.exe	28

Loads dropped DLL 7 IoCs

pid	Process
2684	more.com
2656	WinAPIHObj.au3
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1656	2656	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2172	Setup.exe
2172	Setup.exe
2684	more.com
2684	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2172	Setup.exe
2684	more.com

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2016	AUDIODG.EXE
Token: 33	2016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2016	AUDIODG.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2684	2172	Setup.exe	28
PID 2172 wrote to memory of 2684	2172	Setup.exe	28
PID 2172 wrote to memory of 2684	2172	Setup.exe	28
PID 2172 wrote to memory of 2684	2172	Setup.exe	28
PID 2172 wrote to memory of 2684	2172	Setup.exe	28
PID 2684 wrote to memory of 2656	2684	more.com	30
PID 2684 wrote to memory of 2656	2684	more.com	30
PID 2684 wrote to memory of 2656	2684	more.com	30
PID 2684 wrote to memory of 2656	2684	more.com	30
PID 2684 wrote to memory of 2656	2684	more.com	30
PID 2656 wrote to memory of 1656	2656	WinAPIHObj.au3	33
PID 2656 wrote to memory of 1656	2656	WinAPIHObj.au3	33
PID 2656 wrote to memory of 1656	2656	WinAPIHObj.au3	33
PID 2656 wrote to memory of 1656	2656	WinAPIHObj.au3	33
PID 2684 wrote to memory of 2656	2684	more.com	30

C:\Users\Admin\AppData\Local\Temp\App.Setap\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\App.Setap\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\WinAPIHObj.au3
    C:\Users\Admin\AppData\Local\Temp\WinAPIHObj.au3
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 268
      4⤵
      Loads dropped DLL
      Program crash
      PID:1656

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\df1f0ae5

Filesize
741KB

MD5
f4779c37f47dcac1a0b985262239a335

SHA1
f43cb80e9a4dc2c21cbb8aedcc27f6083ad0ad25

SHA256
ee8c1023e312c3db52c732b092af7013d4572567b8c24a25a0e9c55436df3db5

SHA512
7f9ec0f8549f25ec1afe42cf926740d6941fc1bd671c2744645ac566d1de0833527310219306aa6435139ce2b5ff764efcce82abea67c0525e9ccd0e90f4a025

Download Submit
\Users\Admin\AppData\Local\Temp\WinAPIHObj.au3

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
\Users\Admin\AppData\Local\Temp\WinAPIHObj.au3

Filesize
914KB

MD5
44133fa6600cf94081ce211066b9e3a1

SHA1
fd9c614fa0eb5cc12e21ffc09d320826c8f27416

SHA256
cb7489569ae9e137f6144708906b0266ea1ff6b463cfccd9cae4df1654c1b3a5

SHA512
4a301a2018fb3b86f8c1ff692ce1f02afa22ef7a90499ce18a20e779e7652232ec3d22ac67b196f5c75d7a9aa2068492292ae7f5c028aa92dcff055e28288bd2

Download Submit
\Users\Admin\AppData\Local\Temp\WinAPIHObj.au3

Filesize
768KB

MD5
58ec72e255b3d34a937061e12308ef4f

SHA1
3e81ef2eff948f96dd75e713351e44805edf4f0d

SHA256
93cecc79fe52b19070aa8834cb7305ca418186c9a5c3b201916a4f310235d8e9

SHA512
1a19441ef8f7485bd160fc0e26f3fb36e158f50f34fbf852caac49bb117738c8006a55cbdf96b5781f1c2badad5964810eed0c54093da352006ce0b410b571dc

Download Submit
\Users\Admin\AppData\Local\Temp\WinAPIHObj.au3

Filesize
101KB

MD5
59accf0e0febe69170448cd5ceb9114a

SHA1
1d7f81d0749fb669ee0e9dc024a88da417577a8a

SHA256
7a0f48336c7693b33c76055a648f4a78f4c95212303d2069338cf889094df3e8

SHA512
57b1fa39163af6b2b900426f77f4ce063af55ca99996d26d0d6587dff0979d82aaee0878dc798f9bae7b1690a7480d6e2489f3c380e4ec8f1c088e30d51eb4fa

Download Submit
\Users\Admin\AppData\Local\Temp\WinAPIHObj.au3

Filesize
8KB

MD5
fc3967efc8d59822a1822110a34388fc

SHA1
15450c566fd14943283e10ca7e3df402cc137e3e

SHA256
d03817f0f6b88f650ad64f2212ab45c34f35900bf9d8a0a2d1df4e3b5cf665aa

SHA512
f0727c218df566a5552fcc9a8b41f164d650b58082b7c660288468ecc8562a0f79254b40807a726c6a1307f2a93932a9c8364dc59aa058e2361b67ae43b9d566

Download Submit
memory/2172-0-0x000007FEF6340000-0x000007FEF6498000-memory.dmp

Filesize
1.3MB

Download
memory/2172-6-0x000007FEF6340000-0x000007FEF6498000-memory.dmp

Filesize
1.3MB

Download
memory/2172-5-0x000007FEF6340000-0x000007FEF6498000-memory.dmp

Filesize
1.3MB

Download
memory/2656-31-0x0000000000080000-0x00000000000C9000-memory.dmp

Filesize
292KB

Download
memory/2656-21-0x0000000000080000-0x00000000000C9000-memory.dmp

Filesize
292KB

Download
memory/2656-24-0x0000000000B00000-0x0000000000BEB000-memory.dmp

Filesize
940KB

Download
memory/2656-25-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2656-20-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2656-32-0x0000000000080000-0x00000000000C9000-memory.dmp

Filesize
292KB

Download
memory/2684-9-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2684-18-0x0000000074F00000-0x0000000075074000-memory.dmp

Filesize
1.5MB

Download
memory/2684-13-0x0000000074F00000-0x0000000075074000-memory.dmp

Filesize
1.5MB

Download
memory/2684-12-0x0000000074F00000-0x0000000075074000-memory.dmp

Filesize
1.5MB

Download