ffbe8c67e2a72063c0f2f5e96c4c2be69861d50f3996af0ed97131620363f8f7

Analysis

max time kernel
1361s
max time network
1183s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19-04-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3.0.0-PVP/CSP_300w_setup.exe
Size

435.2MB
MD5

9b6c2642633411bcc3a3e81b6cbb0a38
SHA1

a76c2c0286f17b5770809c11f7786de7f78abfa8
SHA256

f2a11b617818fb43591602c8f4272064f28a5c545eddbee315b235bc0ccf4255
SHA512

c80df807ebb0896e7ec9bcbc5e98a71c25599f54f5a1f10dbd6b13362e20202f783478626c00531eef4bd26ba143d512f6d6ffdc20c726b1bf9fc2786dea5128
SSDEEP

12582912:CTVqAgdbW38gAi+aUyyZXtoCOF/tk32KQh2d38xu:CTV/gk38gBxjoCVF/q353Z

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 7 IoCs

pid	Process
648	CSP_300w_setup.exe
4736	ISBEW64.exe
2212	ISBEW64.exe
4688	ISBEW64.exe
4500	ISBEW64.exe
1932	ISBEW64.exe
4784	ISBEW64.exe

Loads dropped DLL 8 IoCs

pid	Process
648	CSP_300w_setup.exe
648	CSP_300w_setup.exe
648	CSP_300w_setup.exe
648	CSP_300w_setup.exe
648	CSP_300w_setup.exe
648	CSP_300w_setup.exe
648	CSP_300w_setup.exe
648	CSP_300w_setup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 648	2616	CSP_300w_setup.exe	80
PID 2616 wrote to memory of 648	2616	CSP_300w_setup.exe	80
PID 2616 wrote to memory of 648	2616	CSP_300w_setup.exe	80
PID 648 wrote to memory of 4736	648	CSP_300w_setup.exe	81
PID 648 wrote to memory of 4736	648	CSP_300w_setup.exe	81
PID 648 wrote to memory of 2212	648	CSP_300w_setup.exe	82
PID 648 wrote to memory of 2212	648	CSP_300w_setup.exe	82
PID 648 wrote to memory of 4688	648	CSP_300w_setup.exe	83
PID 648 wrote to memory of 4688	648	CSP_300w_setup.exe	83
PID 648 wrote to memory of 4500	648	CSP_300w_setup.exe	84
PID 648 wrote to memory of 4500	648	CSP_300w_setup.exe	84
PID 648 wrote to memory of 1932	648	CSP_300w_setup.exe	85
PID 648 wrote to memory of 1932	648	CSP_300w_setup.exe	85
PID 648 wrote to memory of 4784	648	CSP_300w_setup.exe	86
PID 648 wrote to memory of 4784	648	CSP_300w_setup.exe	86

C:\Users\Admin\AppData\Local\Temp\3.0.0-PVP\CSP_300w_setup.exe
"C:\Users\Admin\AppData\Local\Temp\3.0.0-PVP\CSP_300w_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\CSP_300w_setup.exe
  C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\CSP_300w_setup.exe -package:"C:\Users\Admin\AppData\Local\Temp\3.0.0-PVP\CSP_300w_setup.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\CSP_300w_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F0DE229C-4ACE-4B02-AD7F-26A56813E710}
    3⤵
    - Executes dropped EXE
    PID:4736
- - C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CC969FA2-FF1B-4CE5-828B-7E3AAAEB8C3F}
    3⤵
    - Executes dropped EXE
    PID:2212
- - C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4A568373-1F0A-448A-B7F2-5B6765D25733}
    3⤵
    - Executes dropped EXE
    PID:4688
- - C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1760DCA7-C665-46E4-9E4E-46017724FB5F}
    3⤵
    - Executes dropped EXE
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3A26ADEC-D5F7-4CF9-9D92-DE017F00780D}
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C183578C-0D08-4E67-BDAF-4917D01BDC43}
    3⤵
    - Executes dropped EXE
    PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\ISBEW64.exe

Filesize
198KB

MD5
28857f9a5dc8af367e533076267f5b4d

SHA1
ddf08d6ccff46eb14a9441dcd5db0d9c08b424aa

SHA256
9523ee07e5591102b16b48a9d7059ddaef997adabac0430d1c2a660d5a45e4ee

SHA512
8989f6d28d02f3ae5fc494c4d8a87f9d2fd252dd468418c8410b3dce012ab2913f791f20e020260df294fd2b43d754cf3a4751d1e803825d432202685e51ba1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\DIFxData.ini

Filesize
84B

MD5
1eb6253dee328c2063ca12cf657be560

SHA1
46e01bcbb287873cf59c57b616189505d2bb1607

SHA256
6bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1

SHA512
7c573896abc86d899afbce720690454c06dbfafa97b69bc49b8e0ddec5590ce16f3cc1a30408314db7c4206aa95f5c684a6587ea2da033aecc4f70720fc6189e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\FontData.ini

Filesize
37B

MD5
8ce28395a49eb4ada962f828eca2f130

SHA1
270730e2969b8b03db2a08ba93dfe60cbfb36c5f

SHA256
a7e91b042ce33490353c00244c0420c383a837e73e6006837a60d3c174102932

SHA512
bb712043cddbe62b5bfdd79796299b0c4de0883a39f79cd006d3b04a1a2bed74b477df985f7a89b653e20cb719b94fa255fdaa0819a8c6180c338c01f39b8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\InstallshieldSupportModule.dll

Filesize
184KB

MD5
a65d3f22e82802871d3f698fc1016f21

SHA1
dc17fe50a1b1821f5f251114897faeb889457398

SHA256
2a27b247c1387082036bcd83fb20dbef9d923b0ffa56573c093d0b71edf6d57b

SHA512
08054d4ccbf3c1f6c40e338c273908ac3250a23399328ed645a7bfd79fa28293db59718d8114316a2263345347d03f772b390980c24ef78acced69d92030a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\_isres_0x0409.dll

Filesize
1.8MB

MD5
8afdae8fe83d1a813b54e48230aed2db

SHA1
ad456e1f5440dbd40d9e7febbde0bbb3dff3ae4c

SHA256
d79fc7fdc396927dac03419eea2f9a326c920a094074eb070aca712cdf0629c6

SHA512
fce61a6f14af69495992e6684d821db8332069651ec0c4a47c09e953362b19a5cebdace32e07993533ca0cda8ad6be9ca89ff6c13d4ff5a8b637897c4b5f5bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\_isuser_0x0409.dll

Filesize
361KB

MD5
270951346c840b9f53bb695ff1233a1f

SHA1
c5313382d7395b2d37e790bbd9e57937ae8babee

SHA256
660fe31d417f48eddcf17f280e5d7704b6da8ad6f939eb061cff5a4e8a35b4a5

SHA512
0fb46f9fcdb3c6c2f6600780603de297c2104681e4592d2f73c161873c34f318cbf631a4400f0a0903c0a1feddeca01922e01c1492458dab602c1f21beefc6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{207A7715-4E3C-4FD8-9397-CE0E165B005A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\isrt.dll

Filesize
1.1MB

MD5
ff43031211486580947f25f293b8125b

SHA1
31030ea85fce86a7679f80771838d58df631c28c

SHA256
423d365b5737f925019c17b478a515b488cc55ea990e6ebeb9a77cdc7e2279e0

SHA512
42196211580f2e22fd53dc29f9ce6d560a8cef2e2dae27ce5f5e77457ad9806b66df09aea6c27dfd2fbb781a975fa1c144e215d776ba31b6b9babbcc56190b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\CSP_300w_setup.exe

Filesize
914KB

MD5
ae10b8952043ddfab8a6e3a43b1f8842

SHA1
3c31d8adf582e792451ecfb7e0712849352edf43

SHA256
4f1f2b3f870d5c295b478b662f90d6979fa98f749f798f973632136236d35d2e

SHA512
75271f162a1732e69c9e64f3e4ddbaf13cde58167ef2ed6ee3dbc2e9b4b361faec520bff31c823ea1a91c21b4641c3936b4c049e0d8d10f5d4d4498c03e2a6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\0x0404.ini

Filesize
10KB

MD5
cd658d92df1ad180483136cd6960e7f6

SHA1
0d2808f19c659312372386276bb8dec386b2b638

SHA256
5d31e009a36325032ab1521d2b1ca1a5be89bb969d1948d4fe99c387b1055db1

SHA512
84540ddb853c9dcf49c2abe931601884f744c341d33f2f615f9d3290c41ead9d0709e0882358d5326b87fa25adf61ea1ff7a2b9bad52bfaab18b31d08047da31

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\0x0407.ini

Filesize
25KB

MD5
1f71deaf7e3c298f4c4112db5e7ac029

SHA1
2d653e79c55e31cd00af51313a7b07aed123ab04

SHA256
b4d2bf8ddeee1e2acc5dfaa14ac602a69f52195c38eab4660408fd879ad41a56

SHA512
e0c0fe70904f768ebd191cd8aae285a7e851ff5e5ee3cbe5b78a708b6f378db33f499291eb89ee268fd3b3a694abaf6826162571aba74a6837f65c95a8078666

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\0x0409.ini

Filesize
22KB

MD5
1196f20ca8bcaa637625e6a061d74c9e

SHA1
d0946b58676c9c6e57645dbcffc92c61eca3b274

SHA256
cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29

SHA512
75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\0x040a.ini

Filesize
25KB

MD5
b216bc7b827622578e60b0b37ce9c4c0

SHA1
18eb706aa172440c783382fb317dcb2ef7d04e2a

SHA256
4e42d96cf24224d3ed43e7e14227b96fde3b43235636480f8861db0b048ffddf

SHA512
e4211ee47bccf98369b7760502cc04e7c036e7ee8eb8a29143519c35cf5295f9984ee8de1fc8d7e93352119f9cf5fcb3412b7e3749b1540fd38af7d996ab0700

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\0x040c.ini

Filesize
26KB

MD5
9a10eddf9169f9508688eace7b9e7797

SHA1
fe256fc1dd6a26478a7d06712d789d3f0db431d5

SHA256
d31b120f79c2fb8cd6f3fd7ede220a30ca3bb84e4d3c8b05c1bcc833734d13cf

SHA512
c3d5534e5edd819c03198ec19ab17bd90f29b33bd2f35a7f26e09ec4d59750065c4c3820efa2b6c8862e2fc00a0cf64fa928abeb62a3688b399eeb275de3ae5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\0x0411.ini

Filesize
14KB

MD5
b807ce7552e96dc1928775956b9f422c

SHA1
d25122157365130bebae6497617d28cd86e8c638

SHA256
3f0778538202a35483c084fb0b109f693a9853f64d6452daa5c92ac75620aadc

SHA512
bb06ca5784e77ceb15331c5c6a9abad27364b1c5b800f229cd7b6d955fb120cbd7879c299508b606760f714b17a4a50aba333ccf6da7fb9bcd88b50772f64f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\0x0412.ini

Filesize
14KB

MD5
59b2e4a2d3898f3e4f49186ff150e26c

SHA1
42f49643ef257d3ba2817af5731a165b42c42bfd

SHA256
9416c7b55d1fd9dc06f20e1e3ebbac1357217113833553d49586e339360529c7

SHA512
e6601b583567291088f1c522adf38dbc3408855463429354c7ceee2a46459c76daffc3db1f770e4979a59b88cea43599f88eb9b4dd170cf337008039775dff62

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\0x0416.ini

Filesize
23KB

MD5
eb6dae1391cac22014afd6ccf4c2c333

SHA1
0476104dff6077de57ed24d43b2d4f8a74b6ad3e

SHA256
af54db26c9464b7a610d7eb73f06f36b43ac51e879ac4d21a1c70eb4524a2b24

SHA512
d40a5478056ff3a59e06dc779166baf144eb0db33819180fc6ac47808f49a2249158d8e5cf106c654ce42ab71b6f6f16c3b9777a6b445b1297f741affe09f587

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\0x041e.ini

Filesize
22KB

MD5
733f697e11797f50f950b08701a0c1ec

SHA1
e24d6f9064dfa404739485647a5bd8c6b7165579

SHA256
372dc097b80442810781d777cdd23296a0558be58b3418f4ea088cbcd7f661b2

SHA512
edba839537d63713d6dd708384296d4b6d995dacd9d01813063810e230deafc166baddb2c987442f7985b01a283454a7f5fa4076ebc276fca03c95d175091fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\0x0421.ini

Filesize
24KB

MD5
94afe5b2ac909992f6b7e3c629815d7d

SHA1
f6cea0560818c77d9de5447cc0d5e24da12e52bf

SHA256
af34e34cb979dae26a2ed08673e0ea20fcdb5d1f7ee9acf42f93afe16a64521c

SHA512
5acb1c761a392b96588c5c223e25497a80a7ac7cf8d80e5efb55bdb225544e8adbaafd1ae1f51bc076a29e7d7bf229ac57c8728b969f68b15678f1ccf8445826

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\ISSetup.dll

Filesize
1.6MB

MD5
0dd4e33a91b2ca3f0f0ed083f20fd15e

SHA1
f950051b195d088cf4996de478e7fc0967003441

SHA256
7a61dda52816efd6f27847ae019849ec73ec5c8974d9420d6d12ccfa4a5ea367

SHA512
af5545419597bc3808db6605853d6d583634d34e3e9d02b9e19a2f37ed1016417c8a36dfa15a05c2fcbc2477eba366fe3e408210d7f06e64ba49f8ee044da88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\data1.cab

Filesize
235.3MB

MD5
e10c08dcc785b59261888b179fbc7eb9

SHA1
5f04728c18b36def4977b507d329bcacc490ed7d

SHA256
05c8d5e2a153ad75443d0c6f4c9d236e3d8f8c3ea7bd0cf084525bb8806f0bd4

SHA512
acb02b0b47ec9011833813c083a114ab4794950a126d8e1ad6f4bf14d992d9c0b0b45f4f500d26aad62dd973ccc70374632df470f69b8ab92878ba076d3746dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\data1.hdr

Filesize
525KB

MD5
d760d3bcabf4e71d63075192be41033e

SHA1
73c4095662856a26346a7fc48cb787de14419b33

SHA256
ebdc15e7fb38f5552450c42c8a4cbce6e92eebb45619de8031089c129210c84e

SHA512
90467364f0a268f0dccc9f4783f6f6ceb11db435f10fae6d0fde5ea66a86fc09911f05c74d7a6ceb9fb15ae2c66ab6fb85042f17b75b222e84814d94b6d334ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\layout.bin

Filesize
848B

MD5
6d893a22fda3b565bb261bd926399de6

SHA1
fa3f3cff83dd84361494b9ce21406475882d0057

SHA256
f926ebed20cc23ac133b0e4e00879fbba937cabd6333f60e0c80f618c7d83298

SHA512
9cf77dd9327da56faa3d8df56c5d6ccf08e88d838a38497c8d53a0d3ea98d85b638d4c260b39af9f2d744047b550bd97c8a6c0b255c0d7f35f6462e321d2e15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\Disk1\setup.inx

Filesize
263KB

MD5
0d696dc57259b50644d5d7d6df25a35e

SHA1
48e31bd63526d05338b1f6824e5e89babf260723

SHA256
be4304e80c12294a2a7a8ef1e7231562c92f9e3ba2e45281eedb621baec562f6

SHA512
86ca0e81c30b8bcea90f0b6af7e060d1408317e0db98fad607139a5bb7a126cf7b690e6beb3f65e53b8d082e69462d8eaaf00898a074a3ec438e9afcc203836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{90900096-AAE7-4A13-BBC8-B6EA136074CE}\setup.ini

Filesize
2KB

MD5
fc8a0ac43218330f118424a64f5f0cd0

SHA1
36ec4fb5f86e521ad67519f2eb6195981ab4ac5d

SHA256
ea239b8e11fd28a85387e9b7a5324a60fd29fdbf113aa9f89f62096b6bef101e

SHA512
fb6d3aca0781e3c9c2a174abd9f4ba6de2536cff28fc3905c3cb9f19a9d5ff637066acbd19560579b1d73f43b92b0cb695f81d3f0853e3548759f539d67108b5

Download Submit
memory/648-131-0x0000000005890000-0x0000000005A57000-memory.dmp

Filesize
1.8MB

Download