a599fef128ee44a446caccfb5b208829d84de80e8c8668f382027b95384ba256

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.5MB
MD5

bcc20f2831e847f00afb0627682486bc
SHA1

4305d8c98dea0541730947c80f479f1c95fecc03
SHA256

a6c3bffc842d485f89a62ec6c82a5deb57ad13244345479a6616e071431493b0
SHA512

f6b3acb10897a0bca68a8f81de1876fe8c5d834cd1fb40b0c5c29174ed36a220cabe6cab6906973bb5bb726976b51d08f5ca6f95dbcde893d62be05bf7fc8f8c
SSDEEP

24576:94QY/qIJ8v+y9wonUPTeS+LdDIdsdeAxe4J5pULCeChdhFZNgQ71MAh6eDL9ok/:fYCIJ8kTeSqdDCOX3J5pULCeChnGQ7WO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1648	is-C150L.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 1648	4792	setup.exe	90
PID 4792 wrote to memory of 1648	4792	setup.exe	90
PID 4792 wrote to memory of 1648	4792	setup.exe	90

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\is-64G1P.tmp\is-C150L.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-64G1P.tmp\is-C150L.tmp" /SL4 $A0042 C:\Users\Admin\AppData\Local\Temp\setup.exe 1344260 50688
  2⤵
  - Executes dropped EXE
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-64G1P.tmp\is-C150L.tmp

Filesize
572KB

MD5
8f3608ebddf701377b117d56fd6ff6e4

SHA1
1a8f2732434f625094a269838b358b1b35842dca

SHA256
5d5222159aa734ac7ec8144896733e8ab22203eeaa51dcdaded862ae1dc7fb4e

SHA512
00ad079b50e70aedcdb5b1317f07711a603c336db9fb7943ab2ab0396b5ca51184bfa2106e30158c8eb74b32763c323b45259fa3e361c74357d6a738c874d48e

Download Submit
memory/1648-7-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1648-11-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1648-14-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/4792-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4792-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download