Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 17:29
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20240226-en
General
-
Target
setup.exe
-
Size
10.5MB
-
MD5
9c81ba6819a0ef69a320e5b4dc50ceb0
-
SHA1
3244ffb1218c47a4e1ac5ec41c998a0c5cded43d
-
SHA256
e06f03fad870c10cec46640576bd362d3862092ceeea1fb5e455f62786289913
-
SHA512
21793eb18c1a6a1eccf8e2fa3ac09031dd7cb578e0b70b71c89f9d63377fc18d682181aec7f8cab2a0387f11b2201eb5f4624de216f53d239cee29b3622178b3
-
SSDEEP
196608:eFluPpGAjMGhuPD5U4idQmRrdA6lkaycBIGpEnSE0eHnqvY0/:NP8AxYDwdQOlp97zQ
Malware Config
Signatures
-
Loads dropped DLL 21 IoCs
pid Process 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe 5104 setup.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3476 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3476 taskmgr.exe Token: SeSystemProfilePrivilege 3476 taskmgr.exe Token: SeCreateGlobalPrivilege 3476 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe 3476 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1312 wrote to memory of 5104 1312 setup.exe 91 PID 1312 wrote to memory of 5104 1312 setup.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Loads dropped DLL
PID:5104
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3476
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵PID:3560
-
C:\Windows\System32\_iyiwy.exe"C:\Windows\System32\_iyiwy.exe"1⤵PID:532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
81KB
MD5bbe89cf70b64f38c67b7bf23c0ea8a48
SHA144577016e9c7b463a79b966b67c3ecc868957470
SHA256775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723
SHA5123ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1
-
Filesize
242KB
MD56339fa92584252c3b24e4cce9d73ef50
SHA1dccda9b641125b16e56c5b1530f3d04e302325cd
SHA2564ae6f6fb3992bb878416211221b3d62515e994d78f72eab51e0126ca26d0ee96
SHA512428b62591d4eba3a4e12f7088c990c48e30b6423019bebf8ede3636f6708e1f4151f46d442516d2f96453694ebeef78618c0c8a72e234f679c6e4d52bebc1b84
-
Filesize
60KB
MD5d856a545a960bf2dca1e2d9be32e5369
SHA167a15ecf763cdc2c2aa458a521db8a48d816d91e
SHA256cd33f823e608d3bda759ad441f583a20fc0198119b5a62a8964f172559acb7d3
SHA51234a074025c8b28f54c01a7fd44700fdedb391f55be39d578a003edb90732dec793c2b0d16da3da5cdbd8adbaa7b3b83fc8887872e284800e7a8389345a30a6a4
-
Filesize
153KB
MD50a94c9f3d7728cf96326db3ab3646d40
SHA18081df1dca4a8520604e134672c4be79eb202d14
SHA2560a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31
SHA5126f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087
-
Filesize
29KB
MD552d0a6009d3de40f4fa6ec61db98c45c
SHA15083a2aff5bcce07c80409646347c63d2a87bd25
SHA256007bcf19d9b036a7e73f5ef31f39bfb1910f72c9c10e4a1b0658352cfe7a8b75
SHA512cd552a38efaa8720a342b60318f62320ce20c03871d2e50d3fa3a9a730b84dacdbb8eb4d0ab7a1c8a97215b537826c8dc532c9a55213bcd0c1d13d7d8a9ad824
-
Filesize
75KB
MD50f5e64e33f4d328ef11357635707d154
SHA18b6dcb4b9952b362f739a3f16ae96c44bea94a0e
SHA2568af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe
SHA5124be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643
-
Filesize
155KB
MD59ddb64354ef0b91c6999a4b244a0a011
SHA186a9dc5ea931638699eb6d8d03355ad7992d2fee
SHA256e33b7a4aa5cdd5462ee66830636fdd38048575a43d06eb7e2f688358525ddeab
SHA5124c86478861fa4220680a94699e7d55fbdc90d2785caee10619cecb058f833292ee7c3d6ac2ed1ef34b38fbff628b79d672194a337701727a54bb6bbc5bf9aeca
-
Filesize
812KB
MD5524a85217dc9edc8c9efc73159ca955d
SHA1a4238cbde50443262d00a843ffe814435fb0f4e2
SHA256808549964adb09afafb410cdc030df4813c5c2a7276a94e7f116103af5de7621
SHA512f5a929b35a63f073bdc7600155ba2f0f262e6f60cf67efb38fa44e8b3be085cf1d5741d66d25a1ecaaf3f94abfe9bbe97d135f8a47c11f2b811d2aac6876f46c
-
Filesize
10KB
MD50e2a2addd0d5b21193dbaae162604181
SHA1526b25822b2571307fe8d4208c83227c0c64cb10
SHA256ab0a8fd8f085766a2a7001380e6ee219d5ae68d0194498eeb8d3866f922fbcae
SHA5126e0f0fa11fff0853e4063f5e1a526936cd682303f94b13da0bd4fb6b2da5efdbb3acb378951508ee3a2dea7f7e2c1d6f968e00ae63d1b6063cc2ad932a3856e9
-
Filesize
114KB
MD5c6c87fc7bd7555026bb1738857066cff
SHA13c89dcbc228a7b689860545495f7a081721c5a12
SHA2561a6961fd249dbb3a9ccc903fe5ec4631616594edefb19db423fb488b3dba619a
SHA51263d5b76830d17f90c7d846c8481fac33d86cf1e606d4e33cbe5af868b41d35e7c8c95b93906258d1954809d13a46036fabad093a8693bd29121c020f743faeaa
-
Filesize
3.3MB
MD56f4b8eb45a965372156086201207c81f
SHA18278f9539463f0a45009287f0516098cb7a15406
SHA256976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541
SHA5122c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f
-
Filesize
686KB
MD58769adafca3a6fc6ef26f01fd31afa84
SHA138baef74bdd2e941ccd321f91bfd49dacc6a3cb6
SHA2562aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071
SHA512fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b
-
Filesize
63KB
MD5c17b7a4b853827f538576f4c3521c653
SHA16115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA5128e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7
-
Filesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
Filesize
28KB
MD5c119811a40667dca93dfe6faa418f47a
SHA1113e792b7dcec4366fc273e80b1fc404c309074c
SHA2568f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7
SHA512107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3
-
Filesize
39KB
MD5a4c988361c7f69e080de5eb1a6c3f5cd
SHA186d77b7a17c79a1db9c6790b23b0702b245ed94c
SHA25602d867d8f8120658255c6e5ec426010c149fe353795f79326fe5de3e849fc6c8
SHA512dc73a144dc007ed9b207e9ca02e3a8663e705f71e3873d5d883e7e3fecba3d6268b4fa59a1f88db023d4b98aaef6fc5677e7269fff0c2c0e4eab8f98e57b062a
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
Filesize
1.1MB
MD54c8af8a30813e9380f5f54309325d6b8
SHA1169a80d8923fb28f89bc26ebf89ffe37f8545c88
SHA2564b6e3ba734c15ec789b5d7469a5097bd082bdfd8e55e636ded0d097cf6511e05
SHA512ea127779901b10953a2bf9233e20a4fab2fba6f97d7baf40c1b314b7cd03549e0f4d2fb9bad0fbc23736e21eb391a418d79a51d64402245c1cd8899e4d765c5a
-
Filesize
512KB
MD54652c4087b148d08adefedf55719308b
SHA130e06026fea94e5777c529b479470809025ffbe2
SHA256003f439c27a532d6f3443706ccefac6be4152bebc1aa8bdf1c4adfc095d33795
SHA512d4972c51ffbce63d2888ddfead2f616166b6f21a0c186ccf97a41c447c1fac6e848f464e4acde05bea5b24c73c5a03b834731f8807a54ee46ca8619b1d0c465d