3d930c8c6ef31fe276f422e799269a1d918982062d2a99f1460c09c952df2c58

Analysis

max time kernel
54s
max time network
19s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

104.6MB
MD5

021cd46dd2f05b9d87bc4355e7244dcd
SHA1

828f7e0177487de6d3fd867c793acd8d13ae4516
SHA256

3d930c8c6ef31fe276f422e799269a1d918982062d2a99f1460c09c952df2c58
SHA512

31558b3664805a8de2df597728236da09ed43ce261be7ce255659c7100c5a8c560d93773ee257e2e748d239934b512695a4997b1b7182c2659544f60b6caf5c1
SSDEEP

3145728:omfKXOrYFmRau9Gj2iWeXaAif4yYy6ouvwSF6GSousxOz:oxXOrYFkA2ZeXVifPuISzSo+

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
3040	setup.tmp
2620	EnvCheck.exe

Loads dropped DLL 19 IoCs

pid	Process
2876	setup.exe
3040	setup.tmp
3040	setup.tmp
2652	Process not Found
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe
2620	EnvCheck.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3040	2876	setup.exe	28
PID 2876 wrote to memory of 3040	2876	setup.exe	28
PID 2876 wrote to memory of 3040	2876	setup.exe	28
PID 2876 wrote to memory of 3040	2876	setup.exe	28
PID 2876 wrote to memory of 3040	2876	setup.exe	28
PID 2876 wrote to memory of 3040	2876	setup.exe	28
PID 2876 wrote to memory of 3040	2876	setup.exe	28
PID 3040 wrote to memory of 2620	3040	setup.tmp	30
PID 3040 wrote to memory of 2620	3040	setup.tmp	30
PID 3040 wrote to memory of 2620	3040	setup.tmp	30
PID 3040 wrote to memory of 2620	3040	setup.tmp	30

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\is-61JTC.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-61JTC.tmp\setup.tmp" /SL5="$7011E,108515925,1202176,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\EnvCheck.exe
    "C:\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\EnvCheck.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-61JTC.tmp\setup.tmp

Filesize
3.4MB

MD5
c5458c45b313a8f1e4073edb8b5432db

SHA1
36baf7a855349e50d22a7a48c4c1c972049f1255

SHA256
11a9a85b73d93ac5542b3988b2d2ba81cc14db5084f9ad80516c7e511177ec6c

SHA512
bdd2d9a79c800d13d5396f32ac202e5b45312dbe78d6c6c3e2cce948c534f0d0e4e4ffd28fab4ed8ab66aac8c9045d4f2e47f39753510bfc21c0000f75d7dac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\VCRUNTIME140.dll

Filesize
83KB

MD5
9f2b3fac3440db16e0c13473b551d12c

SHA1
fee53a40b376900621e0f897378de8f161af00f7

SHA256
27c51ff3dc2f4cf2b61bdf55fb60148ef0abb06c2feae188c30f1a63f9e29caa

SHA512
31da29833605c01ac66549170513518b634f371e5c1c724efc92189a4ec54d4ebf8d90582ae3364bcb2b3adde29a2fb26bf27719b619abb5b965c8678b96e5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
915f1c029d8b51ce579fe6f5330a77ca

SHA1
1629e4611e444fcc2514c522e6ac626860f370a5

SHA256
8065d56d1442de48a43b98fec8a9788ee144d997604180629ce303ee9ba53d8e

SHA512
e0d6900b9d8bd496d41c8cc538054e39e20caca88b8c54b52a2ebc7f01b104db25d9fe2d5fc2b269040cf75ad1c35759d7930be874f034191d03e0dd458e3235

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
7b2caafbe6b2c3d6cbf232610dccc034

SHA1
ed3f3cb464c779f224729c62ed2a4318f8d0aefc

SHA256
ba0afa1fadd4429693538aa2e85230edccc2e481f80b89666907d108d31bed8c

SHA512
e32c3b6f31c9fe31381884ae683178bffaca4a88f030335a4502de42432cc014337f5ac2c2ecb726afea15ca3f4c52c26d4024abed1a4187c4773b8c6ff73977

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
afd2d84fb1cdd0c03ee2888ce4fadafc

SHA1
c2ebe9ede75c0956f7d8431b0ea345672132a2d3

SHA256
26ce526a30ceb11aad52b71aa4f3ea65afe2fd6987ab517b7e86823687be6d2c

SHA512
dea9f4737881c4ce5591ebe9875e0981dc360df56505d8cd9204fb15c08fc84c1b634957540a22b11c222a11f1c99a2b401da50e55c8964c91262b186c030410

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\ucrtbase.DLL

Filesize
961KB

MD5
2381e189321ead521ff71e72d08a6b17

SHA1
0db7fea07b4bc14f0f9d71ecfa6ddf3097229875

SHA256
4918f2e631ef1ae34c7863fa4f3bd7663b2fdf0fa160c0de507ed343484ac806

SHA512
2d51d1de627deb852d5ce48315654dfb34115ea9f546f640bb2304cd763d4576eadff5cd7fd184a9b17bac8bf37309a0409034d6303662edfa1a6db69366b9e5

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\EuActiveOnline_x86.dll

Filesize
1.0MB

MD5
060cbaa294241071077ff8194c781024

SHA1
70da6eb0f728a5061f2dfae649e728c7ff57f43f

SHA256
f8969c4ac36c2e1109d1166fc328b6d2b2f6ddf60b72d92f1c08e808cd5e6f2e

SHA512
afa1109d5c2dd40fd66ea0745530c10abc00de28651c964ce4a8be0588714b214cced9ae7d7259d65d99e168680b325a2f993a5c4d3effd0b48b71fba6946898

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\EnvCheck.exe

Filesize
25KB

MD5
a6648c5c205abc175f58c6d370e2cf61

SHA1
2e3088f8efbf4f91d4ab840c8a6018518e0d13d9

SHA256
1cd085976f57cea61f813072ef5a96cf6411ee9083c9dc65328453f4568c57e6

SHA512
f4f65ffa8555a2e0d7257d48d434f4eccdbc9e7826bae8a1e3ba65f42a54b53ef08ded174743c23b3cd6e792b5ece6acc890da587c4ac1825bbce8576fe4931c

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
d0842ac13c33e2287d8adfb16bc83e7a

SHA1
68cfd86a437bd755c2f06e59fd2ba87026d9bec1

SHA256
79f0ccfec37c99a53fa333c95adf94420765366d040eea78a76c545c89708ff6

SHA512
88a5e680ed5e42452d0b7f638327bc38e88af835ada391a11c44c43faebee040d9d30227dba12231ed4ffa0c8fd3cb461f5a682d48e40a9c29ec410f069ca346

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
f12c1674574b16ddc17f4ccf68955e59

SHA1
0c7d9b8b504a3ddc53c0b8e4066c8d829e65ae55

SHA256
a88202b5b8e62edeafb536af25580b2b1a437860d86cd5d8a6fba3c89b46acd6

SHA512
084776cb0c9e7e3708cd67bd2e075bd6878a13ec0dd70f46abb7532e7153ddc4c5afbcbbd477a62432bef0e1381e06a16f951f7c701b1c6eadec93514834bb39

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
39475799bfaee65894f94a0f15d0d1fb

SHA1
f7a4e3dc3fb5133c53be4f1b7f1956d85f6f392e

SHA256
2d9f380091506eb22f0e92c68f6d8641c06fa92f733494fee9836fd748a294d5

SHA512
7156d60ee067f99d21c9d88883c90e8c83d75729807cdd77a37d74d6b15a8224d93189c1283c8756ef18a965bb8a11ad2da84bb6fe8acbffb83503fe6b5355a1

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-core-synch-l1-2-0.dll

Filesize
12KB

MD5
f98687f24c22ed699dbc3721cda79044

SHA1
67f97f2dc22a76c533435e9f3eed4d43c8265d90

SHA256
ea02309a2de376dc9321e2a1154abfe39170762ac24e5925d5fb8f3e726d723f

SHA512
64c0cb361328f4d2c4a6b15b4e345d6f3c83c195b2ac879712f443e722c6694a5a16fbdca2b7cf287081ffe093ee0d01573b22d3241de03cfa195bbbd6d3eb58

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
f1966e566459389d610b3773c3e065f1

SHA1
e123168541d78e792d8cdbaa6b473f28c1064954

SHA256
db128a378c682a0acd5fb4d074b45fad33ab57e70637f3eff917562d8100923a

SHA512
a0d2f959cd28b48791d60bf7488aa26231439c83dfc9e474f17144963bc57f143fd3e0f1904b63948334d3a83b9a5bdd3b2dad81f2e6584303c1c9bfaa9a9c78

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
08f8e94021b233848dbc1624cb17bb7a

SHA1
8bde9c791550226a6e139d86279d22d12054437b

SHA256
7ecbc9b895ad5a70ccc45e85d3ee401ae0517b71040354351b63d00814d5428a

SHA512
c8ed343189f6f0fbf89b060ff62053bbd17540d4aa7358b355448c57f6d18f988673806c3e4d103c47a9b09cbaaf0829efc1c6d779f5b563e9ba326c5413b7f5

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-crt-locale-l1-1-0.dll

Filesize
12KB

MD5
54a1ded1160d8e7a02307b63c191e42e

SHA1
be3de75c0fcc802d2cfcb759288313abcffd2eb9

SHA256
acc5c813e40e55c5c242057ab15f3d9049850d7345d8509f7044bc905dd3aa3a

SHA512
41a1ed1393857b38137ccc91c5519dbf2d054826515f321f2cbb86a21d7086ad5098fe6a2da9173f32b8d7fcc41a893c742da0fda99f8ba179254cd2097c59a0

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
b3937ae7171b6b3d02166bfa9cd6ca9e

SHA1
949c7dffeb2a0957f741af5cade887d8fa0b89eb

SHA256
84b21fd1737b7d8953e22bd4df29cd933e3fc0a07d134598bf062f7ecf984aeb

SHA512
00efd098585546c25b4f8489673b8707e411feb1ca0936f4ffb9ffbfdf160218eef8e6870ea85cdb659c2fc243a473c28c7bd9b9d708163181bc9eb85ec416bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
2d7b04cd3e93f0c32bc999a8dd06ca31

SHA1
2046473bfd777c1780e2fe51c840ca59cdca8b8c

SHA256
b8a352807a073f0d676c862812eb768744130c1553970fe1a32eebff9b55ae28

SHA512
8a1c85504328f9f65a828d13f932bd6c7db45736029f123c4e624fb77fee8c7cee4404224ac915c2f3b0bcee0822be5295b1daaa290c269cc4008f4f31c2b862

Download Submit
\Users\Admin\AppData\Local\Temp\is-I0PGD.tmp\epmEnvCheck\api-ms-win-crt-string-l1-1-0.dll

Filesize
18KB

MD5
5c1eccf8f088c294e4ff4ada4e559567

SHA1
bb8fc158e23445bc0def4bcbd4f9a622b340bb6e

SHA256
f632698bba686c32d5de71d42ef2080d793b52c7a2ec409c8440d0aaa315e9ac

SHA512
02cb60e4b843c4622d410ecfe48285b983a1c750242a6e894ec6556fdc35c5076437f176e7d4dadf5bba819ce892b426f2717503c2a09b7dc1dc5ff6d3d830cc

Download Submit
memory/2876-1-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2876-64-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/3040-8-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3040-65-0x0000000000400000-0x000000000076D000-memory.dmp

Filesize
3.4MB

Download
memory/3040-68-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download