ee1fcfce4a8f3349c6f78e52eff179f51e95e69665e43a32fa1e76a7674d18cf

Analysis

max time kernel
154s
max time network
47s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/03/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crimson Skies/GOODIES/ACROBAT/AR405ENG.exe
Size

5.5MB
MD5

0b7e6d34ece24e225d1f3edbf731ea95
SHA1

d199783d5e6dedda2441ab0708b71b066a2acd2b
SHA256

ec44a3ecbd663d7bcb996dc9ea14606aeab8155b74a5ff3abdc9c16782d2644a
SHA512

1e548ad48c09e8715a0e624306f1ef72338fd204f17b6ca0690c8b69dbba711263bafba0ffe62f3530ae7d778611a8173527a826de41dc98ef69ba0055bcec31
SSDEEP

98304:O0E3BvPH4ER64BcwNFBe6jCkK0Gyo9VOGzma43a14Vw1S9USos/E5CJWNcf:slPz64//Be6ej+o9Tf1k9UHDYLf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2796	_INS5576._MP

Loads dropped DLL 7 IoCs

pid	Process
2228	setup.exe
2796	_INS5576._MP
2796	_INS5576._MP
2796	_INS5576._MP
2796	_INS5576._MP
2796	_INS5576._MP
2796	_INS5576._MP

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_iserr31.ini	setup.exe
File created	C:\Windows\_isenv31.ini	setup.exe
File opened for modification	C:\Windows\_delis32.ini	setup.exe
File opened for modification	C:\Windows\IsUninst.exe	_INS5576._MP
File created	C:\Windows\_INS33IS._MP	_ISDEL.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2228	2628	AR405ENG.exe	30
PID 2628 wrote to memory of 2228	2628	AR405ENG.exe	30
PID 2628 wrote to memory of 2228	2628	AR405ENG.exe	30
PID 2628 wrote to memory of 2228	2628	AR405ENG.exe	30
PID 2628 wrote to memory of 2228	2628	AR405ENG.exe	30
PID 2628 wrote to memory of 2228	2628	AR405ENG.exe	30
PID 2628 wrote to memory of 2228	2628	AR405ENG.exe	30
PID 2228 wrote to memory of 2796	2228	setup.exe	31
PID 2228 wrote to memory of 2796	2228	setup.exe	31
PID 2228 wrote to memory of 2796	2228	setup.exe	31
PID 2228 wrote to memory of 2796	2228	setup.exe	31
PID 2228 wrote to memory of 2796	2228	setup.exe	31
PID 2228 wrote to memory of 2796	2228	setup.exe	31
PID 2228 wrote to memory of 2796	2228	setup.exe	31
PID 2228 wrote to memory of 2224	2228	setup.exe	32
PID 2228 wrote to memory of 2224	2228	setup.exe	32
PID 2228 wrote to memory of 2224	2228	setup.exe	32
PID 2228 wrote to memory of 2224	2228	setup.exe	32
PID 2228 wrote to memory of 2224	2228	setup.exe	32
PID 2228 wrote to memory of 2224	2228	setup.exe	32
PID 2228 wrote to memory of 2224	2228	setup.exe	32

C:\Users\Admin\AppData\Local\Temp\Crimson Skies\GOODIES\ACROBAT\AR405ENG.exe
"C:\Users\Admin\AppData\Local\Temp\Crimson Skies\GOODIES\ACROBAT\AR405ENG.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\InstallShield\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\SETUP.EXE" -isw64"C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\SETUP.EXE" /SMS
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
    C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2796
- - C:\Windows\SysWOW64\InstallShield\_ISDEL.EXE
    C:\Windows\SysWOW64\InstallShield\_ISDEL.EXE
    3⤵
    - Drops file in Windows directory
    PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\ZDATAI51.DLL

Filesize
52KB

MD5
2a9a390018a50f1af0df0b7118696f6e

SHA1
f9a4cf357e49cf1f032ca4f8d46def52c6935e33

SHA256
1d9321dd5e1790dff91cbd475a023760f3b6b6b26e849b70b171b841070378f2

SHA512
813be48cf11a14b618fbfa358794b1e6cef727f305470f27c82bbfccc0921ef2141d740a71c47890db1e705f10bc3d0c67e3d9f651710fdd88f19b9e7e30bc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS0432.INI

Filesize
183B

MD5
d7d3e8fdc4b3fdf8d837feb5522a4297

SHA1
1237974dd52c6c8a5a8f28d7f67b65fd1c1cd4cf

SHA256
e12dafc757089ae2bff58dc547c732bd3f13539a1bd4ecedfa1d2b627182b766

SHA512
32cceffde57201f0a6810a9afe780fcc26ffaf769db1c545274887757884b965bb5595ae4fcda2ec717d38bd4a7337912820109c3123835c8235988bfff45ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\AdobeIns.ini

Filesize
3KB

MD5
db7c98d5faf5b012ebde55c1d5f0a1e1

SHA1
44df28c9a983cf129f09f33d34976985076ed8b2

SHA256
09954509714da724b61dac52ad2f050a4a8cd51faddbbf2d6f5ca984ea3f8457

SHA512
b0bd467a753e72efe980b0a3882ecaca846e10946cbbb484338b7df899d7800fe3adc7f4c00819df64cbe6bde2b9ccd2d6966022722b63a43fcd39435ff22f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.Exe

Filesize
272KB

MD5
81bccb7176badb59a1cfc7d0f042e205

SHA1
284e39f2f055af11d1189be482f5c1637a7590da

SHA256
c4e9610b48718ec6851809fe847f2bad8ed10a066e3fa5e016e805e74691d5f9

SHA512
1eb5f292db7ef6ca42298b43207997aeff41b2a92f03faffcc0605dbcf82a093f0f4de4a27d36376c60171b502680dbe9294eb6164583b2d9627065f232f1949

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\f771eb7.DLL

Filesize
126KB

MD5
18556ed6ea953c31f1c4953d2f210c78

SHA1
7ec5618bae6bbfb45a02c933de7bce8d0fdeb22c

SHA256
f8fa0c3350ed8675c95a9532a0ee057bd0d1c0e79d90bf5e91f75b3f7f25d969

SHA512
0523df4e8062f8dca1a3096f17eaf359c4cd84a00aaadf734e0431a07ded2fa7fe6549bb5a387d839cffe60a9705c3e4f376679006d3eea4e95dcac21766e79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\f771ec7.DLL

Filesize
6KB

MD5
b15a1d88a8f0fc7009fb4b254bbcc730

SHA1
b120ff84cd631108fa059d8f077a2667d1db527b

SHA256
82a549f50bcef626dfa5f56db306a2fe0b2edef780b64ecc135685b823e0cc14

SHA512
63bf7b5ac6d92b4171d4050f2b4ce8cb9cc89a352d9f85bbe6ddbb7afddefc9fa7022b87080be3cb50b8eca4fcaa879673441473a5a9e62ec18ceb37c0664044

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\LAYOUT.BIN

Filesize
590B

MD5
918f6f68140c3f7f766cd976ce8a6dca

SHA1
685df779b41a3d1b32a57ef9512663a723a21b37

SHA256
1b573f8cb6681f575facb9e03428ba66702322cdf1e2eb467d0b16ee5ac3fbd2

SHA512
e7f3220d184aee8fd6cc46352d03810160a3106d02f715c4cde128d60703fb080e313af16bc0758eda6535452bd142cb06698e13370a027ebcb6e3b132e77123

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\SETUP.INS

Filesize
85KB

MD5
2d26d4f24bafe5305cf1f87d3f9d7dbc

SHA1
0c8b95376ddc3d401f616256520c01383d4f3683

SHA256
8871d2a5d5d57cc5d83e31096a82b6e8fef54efd68539d8e19b0fed60c9f5424

SHA512
722c31bd47ae1e51b27d1dc2e7092fc179f8bd890997a89b93365f76cd6995ca49634366504fb42c2656d5dbcb8c17b91ea70967adfc5c488955eae4bbb4adb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\SETUP.LID

Filesize
49B

MD5
1b79748e93a541cc1590505b6c72828a

SHA1
1ddefee04dc9e9b2576dc34eebcfa3de4aa82af9

SHA256
708d29c649525882937031b3d73cc851b7b1bc30772eb4e0e2a71523908f2eb5

SHA512
e85c1f04d3841cd1e5aa5d7ba37bb3aff557d67b1aceb2d9435f07862593eb4e139162c71d9b017c82aade2e1c535c79d1a18d26dffb95282e10bc64bda04bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\Setup.exe

Filesize
59KB

MD5
691fd06eb0a771313a1c7516c5f122fa

SHA1
17c58fb7c9260481adc633a854fdea3e03a0a6ad

SHA256
5a5245f0e0e92b5a72c0b772d4a58feea29100ad632059db9254ddf7b01ed3f8

SHA512
bd990544ad56f2d85f7beb9d130a52dec135e8bbfeb13957b6a234998a5828dca7d22c372f41895c8d5d21de6c6e01b6728e5ab10c313486659b89999678134a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\_INST32I.EX_

Filesize
291KB

MD5
e69e71765d982275679ea0cba6dd332c

SHA1
c7b9fb2c9caa3394547ea0e706e6f2dd49e17805

SHA256
808c49409aa93932909b640ae85223e17ad617a57e734fc956c6c5bf79b7890f

SHA512
cb6170d1f5f1a132bedcd90171a0ea5f252024de8400306af8d412dc5cba22b57b10673cb6cb1f0b633ec822956a465fcfe3fe5fa44385c812acfec4376fc66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\_sys1.cab

Filesize
177KB

MD5
29b2ef733d0bcaf42078e739e2ff759f

SHA1
7b8f8df1ffa55efbaa7251d529d4feb15f51fb4b

SHA256
580cef1bf8a72c650f9cd8cc1ce16557a4c14bcc1ee436b44997e9e8743bb59b

SHA512
729cc1ad4667a64b86393f6141b5a54558d2156d44ec6fce4ccef71ab8c6ee24c1ea05ab0e6340c0dd61876de4e7351504c122d81a5d2f8b3c5d7858fa548f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\_sys1.hdr

Filesize
4KB

MD5
99a63406e475eacfe3fcc5b31390d179

SHA1
5ed1f33903a0fbc246441116792103538203f479

SHA256
f0359cd4fc828459439c1a21176f0a8e3a3a56719f27566368897d8af22bfd06

SHA512
86273151833c232209f28664511de62e07abe9800f8c4e5167f660fc90a2712e8210a785aa8e9ea3ce8ea21861a37f842e3a7a7c59535a9b9010c2569db7b5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\_user1.cab

Filesize
118KB

MD5
2192345177224e7b58aa1c4f061f6d47

SHA1
277b516f35ce9a50ff389bc56b99fc2f6efd60bf

SHA256
972e0d788f90de2ae35eedcdbac0e6584ad37dfe08cd9cd2a599fef82acf9d87

SHA512
4cbd8ef64c2d25417451854f492fd8bd5eb9781c8457596a0dd10e87c03a07f8cdf8895992a95b0a746a56272c8209c939a7680538245dcf6854f33fb49eaad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\_user1.hdr

Filesize
5KB

MD5
942997a45d037d3e95c0e874faf242cf

SHA1
e781b26c178776fb923a115e82e3db6f9f8cb68f

SHA256
900d574c371ed899f3cf8ea33d38f8da205f64407bf92811ded1f70395e6cec6

SHA512
8aa92761243c36d2f08e9d61bb621e2c501451bb271cd7620f99e9017842ef9b4161f2d14b8d93efb97d11c252cdcd5b99cb1fad6cd416dd9d415c8cc5eda526

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\data1.cab

Filesize
469B

MD5
68118979dddcba1539dbca476eea22f1

SHA1
d1d6e10fb9d6dee16f23910e55a76a4a0670a49f

SHA256
d5e44ad8adb1b7109463504e29d5be2d10dbdec65e92c910009ce6f94e375973

SHA512
ad083d65dc9f924d2c745bb5b0e9fe790360a43f59c3a76cb9d56d03bdf964c9659274a56b1bf89f0eb482ab928fc50bf2dadf789f32d10173aebc356bf9df4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\data1.hdr

Filesize
31KB

MD5
d80d770cdf42228df90870ebbc2a8b87

SHA1
33b7382951a1f5fcc1b5d549cc2bb4c6d57fd076

SHA256
64f3e41fc29176023be9e3f24cd30405f28b4af2cc9fce012994e55a94a4f3ce

SHA512
96acdbdb03d8a45458c077846c313867579f2f77a251ab3920a07c0e5a317afe006b38628449d81fad8a553f22101504d312634bfc2b49f33b54a16cbb2fd3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\os.dat

Filesize
450B

MD5
478f65a0b922b6ba0a6ce99e1d15c336

SHA1
577bb092378b8e4522eff40335ff7a50040170b7

SHA256
be2292517342de82d50cefbacb185e36558fcdfbf686692e7df08a80331f9bee

SHA512
747589cae4514cff7d5ea9b51b483c0fe6cb9242b0f31503268a73881acddf25541a7ae56f8826b4f15235dd2ab8c98c94674666e47c36ea913bcfb539143c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\pftw1.pkg

Filesize
222KB

MD5
a4fe1e5227796640b2b13a4736fa4914

SHA1
8d074ba41ad096def2e4a9c5c4b12c018d4b7e98

SHA256
d3cf9c81a6cabc21d91026d6e184e4f8b7c2a67e711423531b6dd22278886f16

SHA512
9d883a4ca4c1ebe222d8d2b759e16511627f4101eea84eadec6b384581fb5aee0676fcb1fadec1fb17f0ab34cccad229dc70200826d546e64b841114ba8a0b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft169C~tmp\setup.ini

Filesize
95B

MD5
c2daf5650ac7324efc9a01bec68bcb07

SHA1
5dbdfaa7be81ded840b88602644ab28330b386ca

SHA256
e76b3e7d1418e339797063604cd83da6e43f380dd15ff54a4dfa58856548d718

SHA512
abaf496a30d50ccf79c08083efa6f8ada14ac49eeb6847c8ac9f51a7d0b52c434f33f30d61f844d976399f62410ed194205203010df3e4c1078f2e03ecd87629

Download Submit
C:\Windows\_delis32.ini

Filesize
268B

MD5
88c6ea9ed6cd04c7cae5d96a623d1973

SHA1
50e875bc6a3ce09b8e2e31a738747bcbb26d78b2

SHA256
290b98b00f660ca6317dc2b64ec399b15373a9b7a0574c45b7b4b5888a0b257d

SHA512
dce8c79b04d4319f9b43cd585877c382b0d5b1778ee1e85614e78a87366526167c658512c245ad1ebf96d465f4cb33f2c959fbc8189ccff53d888cd154e500b8

Download Submit
C:\Windows\_isenv31.ini

Filesize
1KB

MD5
6a476da7776ebf1b4ac52fb2b2066b2b

SHA1
6a87af2ba2d6a096c7a1fa8a7522c5c8219d8cff

SHA256
de98625e41f479f50b6ae4adb6ca92eefbfed1ce9b13b637a64a3151ab91a54e

SHA512
f86f264d3a9700717005aef8458f04477d6c04b18af5eecd4cfef06bda629ef7fbbb969fb43f1f1081ccd62b322489de95db978eccfa5d96fe3d5a72a1b3689e

Download Submit
C:\Windows\_iserr31.ini

Filesize
521B

MD5
b99921c1ce27e631044ad7ad03e27faa

SHA1
13fa80578e7a9f5ece1cfd7913eec6e3e5b12250

SHA256
bd6efc8e0f5b775ae357f3b647d74b7ddbc5fb8fc827e659d77ac2ef9888f16f

SHA512
79ff7699ad240f4b62c5b336fb6ebb684e675b2d74cf541997f1d42716c1e05bcc35d92443c0641a6f0e60a26d3add03f6316390aacb22701b718f652e5472ab

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP

Filesize
548KB

MD5
deb1d4a88dcc0832a739e06af123d13e

SHA1
983b4f57a83ac17af11e4b2b37d788a267423d8f

SHA256
c9d2bee521bc3d8037b164c9468b145646fc556a6969acf83f5556e4b295fc79

SHA512
42935e06bf095722161df41e8902c8f1b477576b6e05faec584e47472eb96a3e90a4eeb72cb5371ae2a56fd819f4af8354a48876664edb72596ea6c7f0456165

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.Exe

Filesize
184KB

MD5
988484420ca69d339464e93ff3ef3298

SHA1
b76548958343792326692511be0669cb5e961203

SHA256
9d693cb16ef963d2184844c9871723ec7271ef410ea2aefcaef4357b4beb2e1d

SHA512
9975e8a6ce408b0ffb6791d4b608a05a77de07eefaef38131d3f9116f74e745c7aca3def7a89669ac81cce2bd421e23e2561d612690d5cb0d4231678998870bb

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.Exe

Filesize
128KB

MD5
484d9d0d332cde84c0c9ae14d14b62b0

SHA1
87a4a945e3ffa6a6196cf93c20f778e4dd02aefb

SHA256
6c25d2ab6a0ab74edc5a7fb7342a5cdafd5c569a28f9ca53153c175f4290b735

SHA512
38eba130e85287a6b3b8d502d6e27aee8bcc41cb085d5a0368b38c0d778c7976683b8df518cbbde058d63ed0b7989fa8c4283165c9318b455331f0bf9639e8dc

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\f771eb7.DLL

Filesize
100KB

MD5
10e297173e6e846f072b538dcab64abc

SHA1
7ca39b3143fc41b261d80b2a231900e3398318b4

SHA256
fa3917a8b9b01941c802247fbc3a63ac8fd9ab00fbf8a8f0e68626f00d969784

SHA512
cec76e473141df9dad050edb6e7c5ce29088169d79f1ce91b492f747a7b1be647307b028051f66b0f3ee56d9f6b686ec7cf63f63cb1c71f299f5299a52737369

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_WUTL951.DLL

Filesize
45KB

MD5
9567a2dac1b8efbd7b0c6dce2a2251c3

SHA1
db72683ff3a3000771394d5eed7e2de922dcadbf

SHA256
67d309a88d68c449c2d0a76c0f2d2c9b2b764a469a6daea67df0279dd49c9296

SHA512
51806383e05cbc67754fc746c16ddf8364610bb22260b8638f586b02dbeb0813cee6acc9962b2b928205d445a82f2cc2022b6d1162f8da644ac902c0f3a327a9

Download Submit
memory/2796-408-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download