Overview
overview
10Static
static
3VMM.zip
windows7-x64
7VMM.zip
windows10-2004-x64
1Data.exe
windows7-x64
1Data.exe
windows10-2004-x64
1Setup.exe
windows7-x64
5Setup.exe
windows10-2004-x64
10iepdf32.dll
windows7-x64
3iepdf32.dll
windows10-2004-x64
3indecorum.tiff
windows7-x64
3indecorum.tiff
windows10-2004-x64
3plugins/Co...st.dll
windows7-x64
1plugins/Co...st.dll
windows10-2004-x64
1plugins/Np...er.dll
windows7-x64
1plugins/Np...er.dll
windows10-2004-x64
1plugins/Np...rt.dll
windows7-x64
1plugins/Np...rt.dll
windows10-2004-x64
1plugins/mi...ls.dll
windows7-x64
1plugins/mi...ls.dll
windows10-2004-x64
1rubadub.odp
windows7-x64
1rubadub.odp
windows10-2004-x64
1updater/GUP.exe
windows7-x64
1updater/GUP.exe
windows10-2004-x64
6updater/LICENSE
windows7-x64
1updater/LICENSE
windows10-2004-x64
1updater/README.md
windows7-x64
3updater/README.md
windows10-2004-x64
3updater/enco.exe
windows7-x64
6updater/enco.exe
windows10-2004-x64
6updater/gup.xml
windows7-x64
1updater/gup.xml
windows10-2004-x64
1updater/libcurl.dll
windows7-x64
1updater/libcurl.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
VMM.zip
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
VMM.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Data.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
Data.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Setup.exe
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
Setup.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral7
Sample
iepdf32.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
iepdf32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
indecorum.tiff
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
indecorum.tiff
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
plugins/Config/nppPluginList.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
plugins/Config/nppPluginList.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
plugins/NppConverter/NppConverter.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
plugins/NppConverter/NppConverter.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
plugins/NppExport/NppExport.dll
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
plugins/NppExport/NppExport.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
plugins/mimeTools/mimeTools.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
plugins/mimeTools/mimeTools.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
rubadub.odp
Resource
win7-20240319-en
Behavioral task
behavioral20
Sample
rubadub.odp
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
updater/GUP.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
updater/GUP.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
updater/LICENSE
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
updater/LICENSE
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
updater/README.md
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
updater/README.md
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
updater/enco.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
updater/enco.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
updater/gup.xml
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
updater/gup.xml
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
updater/libcurl.dll
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
updater/libcurl.dll
Resource
win10v2004-20240226-en
General
-
Target
Setup.exe
-
Size
8.7MB
-
MD5
480f8cf600f5509595b8418c6534caf2
-
SHA1
dc13258ebb83bdf956523d751f67e29d6e4cf77e
-
SHA256
6d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2
-
SHA512
f0bd99f68d59e80538fb276945d0f383394cb94a35c6d12ebd3e87061222249f78b9ca75716b33e36b66842b97c71149612111fcb6a8a3bc3a97635b03934aaf
-
SSDEEP
196608:Ywdj1UbkCchr3rlFE8GCWhKUzGZ3gRTFHnBz58//o:Yw91Ubkxhr3rlFHWhKUzGZ3gRTFhzi/o
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2832 set thread context of 1384 2832 Setup.exe 28 -
Loads dropped DLL 7 IoCs
pid Process 1384 netsh.exe 2596 RunDll.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1296 2596 WerFault.exe 30 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2832 Setup.exe 2832 Setup.exe 1384 netsh.exe 1384 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2832 Setup.exe 1384 netsh.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2832 Setup.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2832 wrote to memory of 1384 2832 Setup.exe 28 PID 2832 wrote to memory of 1384 2832 Setup.exe 28 PID 2832 wrote to memory of 1384 2832 Setup.exe 28 PID 2832 wrote to memory of 1384 2832 Setup.exe 28 PID 2832 wrote to memory of 1384 2832 Setup.exe 28 PID 1384 wrote to memory of 2596 1384 netsh.exe 30 PID 1384 wrote to memory of 2596 1384 netsh.exe 30 PID 1384 wrote to memory of 2596 1384 netsh.exe 30 PID 1384 wrote to memory of 2596 1384 netsh.exe 30 PID 1384 wrote to memory of 2596 1384 netsh.exe 30 PID 1384 wrote to memory of 2596 1384 netsh.exe 30 PID 1384 wrote to memory of 2596 1384 netsh.exe 30 PID 1384 wrote to memory of 2596 1384 netsh.exe 30 PID 2596 wrote to memory of 1296 2596 RunDll.exe 31 PID 2596 wrote to memory of 1296 2596 RunDll.exe 31 PID 2596 wrote to memory of 1296 2596 RunDll.exe 31 PID 2596 wrote to memory of 1296 2596 RunDll.exe 31 PID 1384 wrote to memory of 2596 1384 netsh.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\RunDll.exeC:\Users\Admin\AppData\Local\Temp\RunDll.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1964⤵
- Loads dropped DLL
- Program crash
PID:1296
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5c6749be44fda45f59400565e96a438c4
SHA1aa38e13ce70d83c896eb3166b2deb424533cd702
SHA2561b448489f265bcf01e9afe71cc26a1309de46d25ee2d8ee8938554ef7a6b65ff
SHA51241278ca24b2401a0db17bc99e2c13e951a09b90369d17ddf193e070e2c0ab7205f136c4e5757261f85b2321ddf715e86d7ad0cb7687073ca348adee071e365cb
-
Filesize
3.6MB
MD5726444379dbb621f5f117a2605425be1
SHA11700e8c51b39a8000bb41ee8b25940a6962c305b
SHA256a642496f090ca7c54dc57e9ae6f5fe65b3a233dcdf7a2b734f58be23a388b1e9
SHA51228f04eef12ae8d58dd67d956a1bcce0fc3dad579105c4be19432cb902b89977ffb8f9ac85506ce9461582276cd4c5c7be476016c4d9cf3f67bf7f1674c5cd267