121b577a7dac22764c8d5e89c1b0504edf7803fdf6c5ed15c0c432d9605b4f7a

Analysis

max time kernel
141s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/PW001.exe
Size

894KB
MD5

14e8afb1eeccf97178b645f49d2ea7a1
SHA1

4ba319f46201d7af9c01b28cfc53ba7975c4bc3e
SHA256

1c52b0c39ae1f8405f09fab77e2ff02cc5083b0b329d06c979f4ca4f2eb1f934
SHA512

2e3a78b5d2794c03b672eecc8e30e3d17fcf9119102859eb02cc5d918b2bd3b8cf59b2e5bffd0b304dc8ca6d6ad5149114e964950d720812d062fc029cc6f137
SSDEEP

24576:fG50ZfFK6MLYptRReZ3kTE3S00B1RxjBnYy+olZhDvL1g:fG5UfgVYlMRkTEiRBPxJBVZhDC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

installer.exeGenericSetup.exe

pid process

3968 installer.exe
3852 GenericSetup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

GenericSetup.exe

pid process

3852 GenericSetup.exe
3852 GenericSetup.exe
3852 GenericSetup.exe
3852 GenericSetup.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GenericSetup.exe

description pid process

Token: SeDebugPrivilege 3852 GenericSetup.exe

pid	process
3968	installer.exe
3852	GenericSetup.exe

pid	process
3852	GenericSetup.exe
3852	GenericSetup.exe
3852	GenericSetup.exe
3852	GenericSetup.exe

description	pid	process
Token: SeDebugPrivilege	3852	GenericSetup.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

PW001.exeinstaller.exe

description	pid	process	target process
PID 1188 wrote to memory of 3968	1188	PW001.exe	installer.exe
PID 1188 wrote to memory of 3968	1188	PW001.exe	installer.exe
PID 1188 wrote to memory of 3968	1188	PW001.exe	installer.exe
PID 3968 wrote to memory of 3852	3968	installer.exe	GenericSetup.exe
PID 3968 wrote to memory of 3852	3968	installer.exe	GenericSetup.exe

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\7zS4A482D07\installer.exe
.\installer.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\7zS4A482D07\GenericSetup.exe
C:\Users\Admin\AppData\Local\Temp\7zS4A482D07\GenericSetup.exe husertype=Admin
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4A482D07\BundleConfig.xml

Filesize
11KB

MD5
c0a417b3394c1f645bde55008662cf86

SHA1
b9034daf2a7080cb7ebf57e33f3867202fe2d4e9

SHA256
35a59daed91192145f06fbeda58938613ada800027008566fd15446cdd4ebd9d

SHA512
47324c80eb0f8076287bf4fb7e5ea543ebedc654190d543416d20037ccb1b0163a122d3dab6b83ea450545cd76b76589f8a53af3eff3da4d77682c0906d23c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A482D07\DevLib.dll

Filesize
398KB

MD5
6ef90166cd0485d28f9041d95c1893a9

SHA1
be16f54ff32b3a15fc8ee22fa8cdcf783c196c9b

SHA256
b1e20529054b4f884e6e60eb0159a38520a36d90a57f3384e12f7f4351ea2ebe

SHA512
cd849a4555bec3befd78ca5ce582e899fe08d75093a6e69f6ce1de1081471a4f9aba912a8ee5947a9ff6b29a25f403058ba22c32adbdd6b05ff014ff7d65a75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A482D07\GenericSetup.exe

Filesize
43KB

MD5
a9aa4270caa788444d552f2d3578e539

SHA1
bf9f679b34742698ba5321f257522c88f61c6e38

SHA256
347ed24929f54062ef229bad598f5184ed3d601de3f3da8912c6c964c57100c1

SHA512
39c9bd2f323b2a4c9470a1e3d52259389fb3f97cd6c37ab4732a002cdda68a40385fdc055982600259b08d84d1fb79da7b5a71758ec7a595bf5b8eccc28e5ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A482D07\GenericSetup.exe.config

Filesize
1KB

MD5
31f6a8a7154a75add6f2b3e6d751e426

SHA1
c21b746e6e9a1e532a365809392e1c02d6823c22

SHA256
5e4dbef8383a05e9cd92e14fd6e579fc1b480110797d20482a697a42d228e829

SHA512
51a59138da29d7e0cde27492945b0e05a2b466ab56cd37f93f6314a8dd72b8bcaedcbefb27a43fb7ab097a17f3c26e70d324a11ae7a77b6cce009a0b51eade43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A482D07\installer.exe

Filesize
1.6MB

MD5
79e0c128a1ebbf0de98f4bd18c523f70

SHA1
53541473d3f27066170452e95da8516e39f1c947

SHA256
a230720e5a75d7ee763b9f740e51fd2a3e5d29f9c053e9f9c7f2814718a5dd7b

SHA512
166fb07d17a34e07ea90e75f41d5db4ee292c487798bbc286e6b3778c8049942026a205443caa5c5763b3ea890dc1956a584e687564d017db0ed3d0bf93e76ca

Download Submit
memory/3852-39-0x0000000002780000-0x00000000027E8000-memory.dmp

Filesize
416KB

Download
memory/3852-37-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/3852-40-0x00007FF908200000-0x00007FF908CC1000-memory.dmp

Filesize
10.8MB

Download
memory/3852-42-0x0000000000E70000-0x0000000000E80000-memory.dmp

Filesize
64KB

Download
memory/3852-41-0x0000000002950000-0x00000000029A0000-memory.dmp

Filesize
320KB

Download
memory/3852-47-0x000000001B5F0000-0x000000001B799000-memory.dmp

Filesize
1.7MB

Download
memory/3852-49-0x00007FF908200000-0x00007FF908CC1000-memory.dmp

Filesize
10.8MB

Download
memory/3852-50-0x0000000000E70000-0x0000000000E80000-memory.dmp

Filesize
64KB

Download