190facd0c36960d06367b4bfda0f9c0c8bfcaaef353402ae32765520163c8f07

General

Target

The Setup Files.exe
Size

21.8MB
MD5

8ceba6883eb8c0ab6bbc8c2411f44a88
SHA1

eb389cf495903bbccf7d8b3b211d8fea5a66e5f6
SHA256

190facd0c36960d06367b4bfda0f9c0c8bfcaaef353402ae32765520163c8f07
SHA512

f4f9b71f317446ef620bcc4de818b773efa8bdb6ab75723b6b921afe2fd63c285827fd87398ee7c9826a89c00e659d1c832767e3fd52f113387135ac86d32de0
SSDEEP

393216:EoXIMQSRcG4AQZgOYMPw/9Juq8f30vnS5gZdvnFM+77pxwYFHkHyA9n7SIwO:PpR2TZLIFQ3f3P5md/G+7fEH3jn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2152	Setup.exe

Loads dropped DLL 2 IoCs

pid	Process
2152	Setup.exe
2152	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 2224	2152	Setup.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2152	Setup.exe
2152	Setup.exe
2224	netsh.exe
2224	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2152	Setup.exe
2224	netsh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2152	Setup.exe
2152	Setup.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2152	2192	The Setup Files.exe	28
PID 2192 wrote to memory of 2152	2192	The Setup Files.exe	28
PID 2192 wrote to memory of 2152	2192	The Setup Files.exe	28
PID 2192 wrote to memory of 2152	2192	The Setup Files.exe	28
PID 2192 wrote to memory of 2152	2192	The Setup Files.exe	28
PID 2192 wrote to memory of 2152	2192	The Setup Files.exe	28
PID 2192 wrote to memory of 2152	2192	The Setup Files.exe	28
PID 2152 wrote to memory of 2224	2152	Setup.exe	29
PID 2152 wrote to memory of 2224	2152	Setup.exe	29
PID 2152 wrote to memory of 2224	2152	Setup.exe	29
PID 2152 wrote to memory of 2224	2152	Setup.exe	29
PID 2152 wrote to memory of 2224	2152	Setup.exe	29
PID 2224 wrote to memory of 2504	2224	netsh.exe	31
PID 2224 wrote to memory of 2504	2224	netsh.exe	31
PID 2224 wrote to memory of 2504	2224	netsh.exe	31
PID 2224 wrote to memory of 2504	2224	netsh.exe	31
PID 2224 wrote to memory of 2504	2224	netsh.exe	31

C:\Users\Admin\AppData\Local\Temp\The Setup Files.exe
"C:\Users\Admin\AppData\Local\Temp\The Setup Files.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\SysWOW64\netsh.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\SearchIndexer.exe
      C:\Windows\SysWOW64\SearchIndexer.exe
      4⤵
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\UIxMarketPlugin.dll

Filesize
1.6MB

MD5
9ef391c3caf02cda393d7c0651685836

SHA1
08040d76cf91641cc23ac0ad789cfd0a70f627a2

SHA256
30a1879002874dbd1b54a6328a870349d51d6e23950563220e05656b3781436a

SHA512
130fdb4a28a36f532ead920adea1dc24890aebabdcdd78d2eeea57d43ef29b525cb053892b952c01c690597159662d58fe20d261ae43a920cb1d557920e5afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kinsman.vhd

Filesize
795KB

MD5
a7c2e1897731dd20f70ded39584b945d

SHA1
fcc0caac50a2706a7ba4a0036b748bf63eb87f4b

SHA256
35f877ea9ca294eef302e903d6636beb044baabc362a79feb1957f1e470238c5

SHA512
5698f2b2d1675d61914dba6fee34bf131146a7b0bece73e4541b283c21c6ead12771e14ca392a01eef85d74536f9d4b325ac42139c1b1c7731b2f3669ce06449

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\relay.dll

Filesize
1.5MB

MD5
7d2f87123e63950159fb2c724e55bdab

SHA1
360f304a6311080e1fead8591cb4659a8d135f2d

SHA256
b3483bb771948ed8d3f76faaa3606c8ef72e3d2d355eaa652877e21e0651aa9a

SHA512
6cb8d27ebcfdf9e472c0a6fff86e6f4ec604b8f0f21c197ba6d5b76b703296c10c8d7c4fb6b082c7e77f5c35d364bcffd76ae54137e2c8944c1ea7bb9e2e5f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\woorali.accdb

Filesize
42KB

MD5
e509b097beeac41d6266c6a64248fda5

SHA1
6af62601eb8d8e8f662209ab8699fe6a7767b2c1

SHA256
5e721086f910e78a902174b711699f5332b858d475c4f9b47c8274732f7f9ae9

SHA512
b23e7bb59356a82a6ab36c200623f83a5f512bf04a26f78144c49c6ac84e6782e52810c31ff025dbf7a70211c07185b72a301947232e58c5d88d9e0c2ff7be4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c85a97d6

Filesize
1.0MB

MD5
8e1826811ac34d08014d6a4a8ad016a9

SHA1
9bb8df381fbd0526d7103ccb7d78dfbed90b50e5

SHA256
dc8e4fa99d852c910cce4502627feedd43ffd31e41ed95e4eeee5ce34282f4e0

SHA512
96142ef79b21eece32ab7733d508e452950eb1ba7c75f6607df40175fde8e5d7336961f8ece3363811835772e392e8f721e9bd578d0b7af19ddf6d7a04ac0eea

Download Submit
memory/2152-375-0x00000000742A0000-0x0000000074414000-memory.dmp

Filesize
1.5MB

Download
memory/2152-374-0x00000000742B2000-0x00000000742B4000-memory.dmp

Filesize
8KB

Download
memory/2152-369-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2152-376-0x00000000742A0000-0x0000000074414000-memory.dmp

Filesize
1.5MB

Download
memory/2152-368-0x00000000742A0000-0x0000000074414000-memory.dmp

Filesize
1.5MB

Download
memory/2224-379-0x00000000742A0000-0x0000000074414000-memory.dmp

Filesize
1.5MB

Download
memory/2224-380-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2224-381-0x00000000742A0000-0x0000000074414000-memory.dmp

Filesize
1.5MB

Download
memory/2224-382-0x00000000742A0000-0x0000000074414000-memory.dmp

Filesize
1.5MB

Download
memory/2504-384-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2504-385-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2504-386-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing