55b6099192c0138d92121fd9b8e8de31932cb6b63bb1fb09a6b435bb702522d0

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c942b814a5f9c7b67f44695b425bab8c.exe
Size

634KB
MD5

c942b814a5f9c7b67f44695b425bab8c
SHA1

a99cb6bdeedaeda4cee171a3bb3d965d627f0049
SHA256

55b6099192c0138d92121fd9b8e8de31932cb6b63bb1fb09a6b435bb702522d0
SHA512

3c69095b634888e91a791a0a1c9e9c17074289dfb1e01451d3591bd98d3ee0d3b8f8735bc64b462034c1beb88f8dd0934060819bbfba906cdcedde9c0be418ac
SSDEEP

12288:qaURx74dkMH4Y8qlrbVrdzvWQjl3NEeKx25qAF3Z4mxx+JvLHSLHNF6ZzeYmxybH:qaikH4YBFRbvx3+x25qAQmXCzMHNF6ZN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
660	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\setup.exe	c942b814a5f9c7b67f44695b425bab8c.exe
File opened for modification	C:\Windows\setup.exe	c942b814a5f9c7b67f44695b425bab8c.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D138CDD8-6E51-4625-B759-E5DD26972F29}\WpadDecision = "0"	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D138CDD8-6E51-4625-B759-E5DD26972F29}\WpadNetworkName = "Network 3"	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-4e-e3-79-01-0d	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D138CDD8-6E51-4625-B759-E5DD26972F29}\c2-4e-e3-79-01-0d	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-4e-e3-79-01-0d\WpadDecisionTime = 10fc64f33976da01	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-4e-e3-79-01-0d\WpadDecisionReason = "1"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D138CDD8-6E51-4625-B759-E5DD26972F29}	setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D138CDD8-6E51-4625-B759-E5DD26972F29}\WpadDecisionReason = "1"	setup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D138CDD8-6E51-4625-B759-E5DD26972F29}\WpadDecisionTime = 10fc64f33976da01	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-4e-e3-79-01-0d\WpadDecision = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	c942b814a5f9c7b67f44695b425bab8c.exe
Token: SeDebugPrivilege	660	setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
660	setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 544	660	setup.exe	29
PID 660 wrote to memory of 544	660	setup.exe	29
PID 660 wrote to memory of 544	660	setup.exe	29
PID 660 wrote to memory of 544	660	setup.exe	29

C:\Users\Admin\AppData\Local\Temp\c942b814a5f9c7b67f44695b425bab8c.exe
"C:\Users\Admin\AppData\Local\Temp\c942b814a5f9c7b67f44695b425bab8c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\setup.exe
C:\Windows\setup.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:660
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\setup.exe

Filesize
634KB

MD5
c942b814a5f9c7b67f44695b425bab8c

SHA1
a99cb6bdeedaeda4cee171a3bb3d965d627f0049

SHA256
55b6099192c0138d92121fd9b8e8de31932cb6b63bb1fb09a6b435bb702522d0

SHA512
3c69095b634888e91a791a0a1c9e9c17074289dfb1e01451d3591bd98d3ee0d3b8f8735bc64b462034c1beb88f8dd0934060819bbfba906cdcedde9c0be418ac

Download Submit
memory/2664-0-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2664-1-0x0000000000520000-0x0000000000574000-memory.dmp

Filesize
336KB

Download
memory/2664-3-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2664-2-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2664-4-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/2664-5-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2664-7-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/2664-6-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2664-8-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/2664-9-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/2664-10-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2664-12-0x0000000003260000-0x0000000003263000-memory.dmp

Filesize
12KB

Download
memory/2664-11-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2664-14-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/2664-13-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2664-17-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2664-18-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/2664-19-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2664-27-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2664-26-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2664-25-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2664-24-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2664-23-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2664-22-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2664-21-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2664-20-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2664-28-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/2664-32-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/2664-31-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/2664-30-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/2664-29-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/2664-34-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/2664-37-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/2664-36-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/2664-38-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/2664-35-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2664-33-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2664-39-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/2664-41-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/2664-40-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2664-45-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2664-44-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2664-43-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2664-42-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/2664-47-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/2664-46-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/2664-49-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/2664-48-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/2664-50-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/2664-51-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2664-52-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2664-54-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2664-53-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/2664-55-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/2664-56-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/2664-58-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/2664-65-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/2664-64-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/2664-63-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2664-62-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2664-61-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/2664-60-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/2664-59-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/2664-57-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/2664-110-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download