4dfc5ae9669143291a42872a889bf121b083c3a618a8a191c1aa1b59d3685098

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

3.0MB
MD5

6d6cc1c7c858883bfd96cce4f6bfa019
SHA1

02bebd917eb201883060399ba0bbe28cdbaae63c
SHA256

4dfc5ae9669143291a42872a889bf121b083c3a618a8a191c1aa1b59d3685098
SHA512

0ab08fdb8670d9eafe6e044c2f054ec2b84e218b832c758813d7d7322cec97c9ecd4acee260bddbb7b3c25aa3155c6f46c00e4ef01866bcebe5f8fa442ed5a71
SSDEEP

98304:p+mUKGYXslS7DBZVmIZnD95CXlvw66fNNxxe:p+xv6slS/z8iDzml43e

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2612	setup.tmp
1936	unins000.exe
2052	_iu14D2N.tmp

Loads dropped DLL 10 IoCs

pid	Process
2440	setup.exe
2612	setup.tmp
2612	setup.tmp
2612	setup.tmp
2612	setup.tmp
2612	setup.tmp
2612	setup.tmp
1936	unins000.exe
2052	_iu14D2N.tmp
2052	_iu14D2N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000009358f966122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe9358f9669358f9662a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000042000000	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000009358c56810204c6f63616c00380008000400efbe9358f9669358c5682a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a00310000000000ac58e741102054656d700000360008000400efbe9358f966ac58e7412a000000ff010000000002000000000000000000000000000000540065006d007000000014000000	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	setup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2612	setup.tmp
2612	setup.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2612	setup.tmp
2052	_iu14D2N.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	setup.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2612	2440	setup.exe	28
PID 2440 wrote to memory of 2612	2440	setup.exe	28
PID 2440 wrote to memory of 2612	2440	setup.exe	28
PID 2440 wrote to memory of 2612	2440	setup.exe	28
PID 2440 wrote to memory of 2612	2440	setup.exe	28
PID 2440 wrote to memory of 2612	2440	setup.exe	28
PID 2440 wrote to memory of 2612	2440	setup.exe	28
PID 2612 wrote to memory of 1936	2612	setup.tmp	29
PID 2612 wrote to memory of 1936	2612	setup.tmp	29
PID 2612 wrote to memory of 1936	2612	setup.tmp	29
PID 2612 wrote to memory of 1936	2612	setup.tmp	29
PID 2612 wrote to memory of 1936	2612	setup.tmp	29
PID 2612 wrote to memory of 1936	2612	setup.tmp	29
PID 2612 wrote to memory of 1936	2612	setup.tmp	29
PID 1936 wrote to memory of 2052	1936	unins000.exe	30
PID 1936 wrote to memory of 2052	1936	unins000.exe	30
PID 1936 wrote to memory of 2052	1936	unins000.exe	30
PID 1936 wrote to memory of 2052	1936	unins000.exe	30
PID 1936 wrote to memory of 2052	1936	unins000.exe	30
PID 1936 wrote to memory of 2052	1936	unins000.exe	30
PID 1936 wrote to memory of 2052	1936	unins000.exe	30

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\is-KK93K.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KK93K.tmp\setup.tmp" /SL5="$70122,2679121,203776,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Roaming\Minecraft - Story Mode_Uninstall\unins000.exe
    "C:\Users\Admin\AppData\Roaming\Minecraft - Story Mode_Uninstall\unins000.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Users\Admin\AppData\Roaming\Minecraft - Story Mode_Uninstall\unins000.exe" /FIRSTPHASEWND=$60160 /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Minecraft - Story Mode_Uninstall\unins000.dat

Filesize
79KB

MD5
80648ebd9a89c8d9f531e2219070c408

SHA1
67143e90046b46a6de3534ff7af7b7c86d215795

SHA256
7ec51c554830c573e30b455fa5402b1b88696c574cd3e42c1842575ad02c21ac

SHA512
12a19b82c44adec6ee2402e8dba311210a64ddaa58d97b3e322b3b1a6624c25c2bbda538a4857682312c94b3509027d48aa94ff8f39e0c8229f3ce0d43248ae7

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft - Story Mode_Uninstall\unins000.exe

Filesize
1.5MB

MD5
86de4cc3546f5199aa81af21c6ffa306

SHA1
748cf4cae15651772b0e59ed0ab08e45456864aa

SHA256
3d04a8989caf11dabe49a58d50e5ac47ff9acf99a439fc2f4dc767774f688d9a

SHA512
15eb67dd3fa8687a88ed566b7d070b51c13914db2930b0ecbd1f8b2c5f7831aeb8a68b744960d47876f447aabeaf568b109ee54c409d3101bf62eb404d31c315

Download Submit
\Users\Admin\AppData\Local\Temp\is-58U9G.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-58U9G.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-58U9G.tmp\b2p.dll

Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
\Users\Admin\AppData\Local\Temp\is-58U9G.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-KK93K.tmp\setup.tmp

Filesize
1.5MB

MD5
4c8bbe16a67dff63bb5cc6db7144e0c9

SHA1
b71be5a00636479c12de0b64512bcd7efb11c819

SHA256
df444620e825ce891ad6234897b5e065fde5ab5933f4b06558daa66319d8aed3

SHA512
354eef1f3e8602a2350ce5483097dec3e86077d7eb03cc4dd8318e139d2be28d259e1b86f782143cf78270c2f50987b90eb2f4573a02571218d99b378937a5de

Download Submit
memory/1936-102-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2052-105-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2440-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2440-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2440-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2440-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-33-0x0000000003160000-0x00000000031D7000-memory.dmp

Filesize
476KB

Download
memory/2612-70-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2612-32-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2612-34-0x0000000074EE0000-0x0000000074EF1000-memory.dmp

Filesize
68KB

Download
memory/2612-68-0x00000000043A0000-0x00000000043A2000-memory.dmp

Filesize
8KB

Download
memory/2612-73-0x0000000000600000-0x000000000060F000-memory.dmp

Filesize
60KB

Download
memory/2612-72-0x0000000074EE0000-0x0000000074EF1000-memory.dmp

Filesize
68KB

Download
memory/2612-35-0x0000000000600000-0x000000000060F000-memory.dmp

Filesize
60KB

Download
memory/2612-71-0x0000000003160000-0x00000000031D7000-memory.dmp

Filesize
476KB

Download
memory/2612-30-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2612-29-0x0000000074EE0000-0x0000000074EF1000-memory.dmp

Filesize
68KB

Download
memory/2612-27-0x0000000000600000-0x000000000060F000-memory.dmp

Filesize
60KB

Download
memory/2612-18-0x0000000003160000-0x00000000031D7000-memory.dmp

Filesize
476KB

Download
memory/2612-125-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2612-14-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download