Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 13:23

General

  • Target

    WindowController_setup_06.exe

  • Size

    1.4MB

  • MD5

    5f47cf5504f99f7a6a20ea11e393ed75

  • SHA1

    081ba58a5a211efa949b6536b477b9f211f1a0ea

  • SHA256

    a3164eb1974835b112230abb7460da2b4c328dfed3c85283c792911e86f90f5b

  • SHA512

    4c8e48d14124fdcbb5a4624c77557c94b3bd756fbb2bf98d37b5a4355b3fd902e0fb335d5fb8b4a939e5df04e9c52e426225426c80af07f2876a23dd3a93a5f2

  • SSDEEP

    24576:+fOy4I4oZ+OTFmmYf52bLIPCUtSyxVqVuR5LnMlyFarOHd4uyIg2df5HejNPvNa2:+GThaFw52P4kMouR1nyyFaaCuyIg2dfE

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp" /SL4 $F0150 "C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe" 1217223 52224
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""
        3⤵
          PID:2148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\del_bat.cmd

      Filesize

      226B

      MD5

      57d7419e37e725840c910cb21ccf0adb

      SHA1

      b2a7b23acc8039311994933add224e72ee08a4a4

      SHA256

      7adfe3d985257c921c924fca6fc84cec6b79b2bb676d4e1b603582afec778fac

      SHA512

      e4f0c3c5f2702baa8a3954eadca2e1c380b7bc0b1d642659d8bc03467f0f17be05ff5f6f9b96094a66b3fc7a0552277cea1e5c5a31ae073344ae2344fe9321fc

    • \Users\Admin\AppData\Local\Temp\is-ETNCE.tmp\_isetup\_shfoldr.dll

      Filesize

      22KB

      MD5

      92dc6ef532fbb4a5c3201469a5b5eb63

      SHA1

      3e89ff837147c16b4e41c30d6c796374e0b8e62c

      SHA256

      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

      SHA512

      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    • \Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp

      Filesize

      656KB

      MD5

      4fa180886ff7c0fd86a65f760ede6318

      SHA1

      2c89c271c71531362e84ddab5d3028f0756a9281

      SHA256

      1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

      SHA512

      a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

    • memory/1980-9-0x00000000003E0000-0x00000000003E1000-memory.dmp

      Filesize

      4KB

    • memory/1980-20-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

    • memory/1980-23-0x00000000003E0000-0x00000000003E1000-memory.dmp

      Filesize

      4KB

    • memory/2212-1-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

    • memory/2212-19-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB