19cf5c9f250d27c1ff53f81a0ebad37428ca71a2647e358c8b3f2bfda102a8ef

General

Target

@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe
Size

3.5MB
MD5

f3926079722ea980ed43703b7e56c578
SHA1

c91f413aaed6a2c97cef6ceea4b821faabe35994
SHA256

19cf5c9f250d27c1ff53f81a0ebad37428ca71a2647e358c8b3f2bfda102a8ef
SHA512

9157bab3d721fbe835250a2b864f7a8ea2a3b4e9e21bc527ca08589bd90446e887fc6797554157419a2efa2466ee30e6171746ee0e71ccfa224395ea33fa7828
SSDEEP

98304:ZYnY0iuf1ZByTLpwiaOZu2u3YP21sr7wx4oDIouiIOiUq:ZYnLI1witJu3A5wCoehH3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Setup.exe

pid process

2808 Setup.exe
Loads dropped DLL 3 IoCs

Processes:

Setup.exetracewpp.exe

pid process

2808 Setup.exe
2808 Setup.exe
1732 tracewpp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 2808 set thread context of 1784 2808 Setup.exe netsh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exenetsh.exe

pid process

2808 Setup.exe
2808 Setup.exe
1784 netsh.exe
1784 netsh.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exenetsh.exe

pid process

2808 Setup.exe
1784 netsh.exe

pid	process
2808	Setup.exe

pid	process
2808	Setup.exe
2808	Setup.exe
1732	tracewpp.exe

description	pid	process	target process
PID 2808 set thread context of 1784	2808	Setup.exe	netsh.exe

pid	process
2808	Setup.exe
2808	Setup.exe
1784	netsh.exe
1784	netsh.exe

pid	process
2808	Setup.exe
1784	netsh.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exeSetup.exenetsh.exe

description	pid	process	target process
PID 840 wrote to memory of 2808	840	@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe	Setup.exe
PID 840 wrote to memory of 2808	840	@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe	Setup.exe
PID 2808 wrote to memory of 1784	2808	Setup.exe	netsh.exe
PID 2808 wrote to memory of 1784	2808	Setup.exe	netsh.exe
PID 2808 wrote to memory of 1784	2808	Setup.exe	netsh.exe
PID 2808 wrote to memory of 1784	2808	Setup.exe	netsh.exe
PID 1784 wrote to memory of 1732	1784	netsh.exe	tracewpp.exe
PID 1784 wrote to memory of 1732	1784	netsh.exe	tracewpp.exe
PID 1784 wrote to memory of 1732	1784	netsh.exe	tracewpp.exe
PID 1784 wrote to memory of 1732	1784	netsh.exe	tracewpp.exe
PID 1784 wrote to memory of 1732	1784	netsh.exe	tracewpp.exe

C:\Users\Admin\AppData\Local\Temp\@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe
"C:\Users\Admin\AppData\Local\Temp\@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
4⤵
- Loads dropped DLL
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\89a0a45e
Filesize
1.2MB

MD5
748591a36e3a492e9af8847e0c4bf03a

SHA1
ed014a6d1ef3d42c318127a0842267013f12d5d7

SHA256
6115d59b8f3a0c18ef741a1afeec778b7b851fd11bf2e639b6152a8678cd4e55

SHA512
20557b84ea40616d7177fac208cb9a77771c13280d3ff2d419340c02c371c1b851b32addb1728f37677affcacda30836cd2afb82d14aae8812612bb8a3de37fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll
Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\largo.doc
Filesize
915KB

MD5
1d070b44d4cfa45325bf3b89168921c5

SHA1
62f1aa9e982bb4ca3dc7d93dbb784fb2ca57751f

SHA256
9e35a20dfe967b3999761df98dea750ba5516214e3d91086d3f1a422ac4ff982

SHA512
43372cc3b20693052cb6dbb98a5c1fc3635a69ee11262e3334bbbb05c84c892f165d6bdbe0eb61b83b3297c48a13a60a22741bdc4795b131c8d25297b135e5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nursery.iso
Filesize
73KB

MD5
5a055f819fd0c3454e0d90507dc25257

SHA1
27e8af7782f080e8ea3c06cb31ddbfa768cb127b

SHA256
0566fbe3e0e3f35083ebf4304b581e03cf4eccb37da57f7c7a4bdcf6f2e2c3d8

SHA512
1a48f170895be20d6e4b3eb2c125b404376158f471cb29a2d474824457668dbaa07261049f61cad68fc341fac011e0170e8eb54aae8b10a6456ed6d910a5842d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\python310.dll
Filesize
4.3MB

MD5
fc90f16df2e942d04add02e705ba9bcc

SHA1
a64997c424e6d28a2e47c347c7ae9a37073b727d

SHA256
5aa78fb7130326cc0a37cbc04854df22f890f7692e27747dbc88cf81f62ea157

SHA512
6d058416def68a7e642e679e5d42348d47b3e9c6ccbff84827b8c1bb0e076525e4b3c24b7577455ed1d83a8f3a6602ee248afd35f8463396043ac6cd183a82e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
Filesize
207KB

MD5
0930890f83efad2a3091d1e3f0b82707

SHA1
e0dcdefdde9dddd482e0b72504b35e96b795b27e

SHA256
e8be7f038dd98179a1a27d5b176d23a60ad44426442699a3b9b714f9778c5cf2

SHA512
608e2a169a9eb3c1b8e4459704e87123e5d04de57937175811a3f67559f0ead77b09e48562c1df732552a6aca7a8089528f43cda83bcdad1644a089b11a0e9f6

Download Submit
memory/1732-250-0x0000000000A00000-0x0000000000A50000-memory.dmp

Filesize
320KB

Download
memory/1732-249-0x0000000000A00000-0x0000000000A50000-memory.dmp

Filesize
320KB

Download
memory/1732-248-0x00000000003D0000-0x0000000000454000-memory.dmp

Filesize
528KB

Download
memory/1732-246-0x0000000000A00000-0x0000000000A50000-memory.dmp

Filesize
320KB

Download
memory/1732-245-0x00007FFE9EC20000-0x00007FFE9EE29000-memory.dmp

Filesize
2.0MB

Download
memory/1784-239-0x0000000073C90000-0x0000000073E0D000-memory.dmp

Filesize
1.5MB

Download
memory/1784-243-0x0000000073C90000-0x0000000073E0D000-memory.dmp

Filesize
1.5MB

Download
memory/1784-241-0x0000000073C90000-0x0000000073E0D000-memory.dmp

Filesize
1.5MB

Download
memory/1784-236-0x00007FFE9EC20000-0x00007FFE9EE29000-memory.dmp

Filesize
2.0MB

Download
memory/2808-233-0x00007FFE8F880000-0x00007FFE8F9FA000-memory.dmp

Filesize
1.5MB

Download
memory/2808-232-0x00007FFE8F880000-0x00007FFE8F9FA000-memory.dmp

Filesize
1.5MB

Download
memory/2808-227-0x00007FFE8F880000-0x00007FFE8F9FA000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing