Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 13:18
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240419-en
General
-
Target
Setup.exe
-
Size
2.4MB
-
MD5
9fb4770ced09aae3b437c1c6eb6d7334
-
SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03
-
SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
-
SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
SSDEEP
49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1600 set thread context of 2752 1600 Setup.exe 28 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1600 Setup.exe 1600 Setup.exe 2752 netsh.exe 2752 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1600 Setup.exe 2752 netsh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1600 Setup.exe 1600 Setup.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2752 1600 Setup.exe 28 PID 1600 wrote to memory of 2752 1600 Setup.exe 28 PID 1600 wrote to memory of 2752 1600 Setup.exe 28 PID 1600 wrote to memory of 2752 1600 Setup.exe 28 PID 1600 wrote to memory of 2752 1600 Setup.exe 28 PID 2752 wrote to memory of 2732 2752 netsh.exe 30 PID 2752 wrote to memory of 2732 2752 netsh.exe 30 PID 2752 wrote to memory of 2732 2752 netsh.exe 30 PID 2752 wrote to memory of 2732 2752 netsh.exe 30 PID 2752 wrote to memory of 2732 2752 netsh.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵PID:2732
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5617d58684189e2d9f90129ea238977d3
SHA17aed26437d5d56612bfe473ffeea3858049de7ca
SHA2560e47882b4968445b488cd4fd783dd16b63caa2e774d9cf6698e2f0fc814e80eb
SHA512f0cae03e25b0e17c11be6b4f4c77580d7ad4681c7ee3f416a0818d27518a4f7b0aae565d4b610afacb43070783d62d475f6264748b9a77746f086ba5429e143d