Overview

overview

7

Static

static

3

setup.exe

windows7-x64

7

setup.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/05/2024, 08:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    3.0MB

  • MD5

    6d6cc1c7c858883bfd96cce4f6bfa019

  • SHA1

    02bebd917eb201883060399ba0bbe28cdbaae63c

  • SHA256

    4dfc5ae9669143291a42872a889bf121b083c3a618a8a191c1aa1b59d3685098

  • SHA512

    0ab08fdb8670d9eafe6e044c2f054ec2b84e218b832c758813d7d7322cec97c9ecd4acee260bddbb7b3c25aa3155c6f46c00e4ef01866bcebe5f8fa442ed5a71

  • SSDEEP

    98304:p+mUKGYXslS7DBZVmIZnD95CXlvw66fNNxxe:p+xv6slS/z8iDzml43e

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 39 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Users\Admin\AppData\Local\Temp\is-3NA2S.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3NA2S.tmp\setup.tmp" /SL5="$80048,2679121,203776,C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Users\Admin\AppData\Roaming\Minecraft - Story Mode_Uninstall\unins000.exe
        "C:\Users\Admin\AppData\Roaming\Minecraft - Story Mode_Uninstall\unins000.exe" /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4220
        • C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
          "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Users\Admin\AppData\Roaming\Minecraft - Story Mode_Uninstall\unins000.exe" /FIRSTPHASEWND=$40200 /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          PID:3816

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-0SP06.tmp\ISDone.dll
          Filesize

          452KB

          MD5

          4feafa8b5e8cdb349125c8af0ac43974

          SHA1

          7f17e5e1b088fc73690888b215962fbcd395c9bd

          SHA256

          bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

          SHA512

          d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-0SP06.tmp\b2p.dll
          Filesize

          22KB

          MD5

          ab35386487b343e3e82dbd2671ff9dab

          SHA1

          03591d07aea3309b631a7d3a6e20a92653e199b8

          SHA256

          c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

          SHA512

          b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-0SP06.tmp\botva2.dll
          Filesize

          37KB

          MD5

          67965a5957a61867d661f05ae1f4773e

          SHA1

          f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

          SHA256

          450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

          SHA512

          c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-3NA2S.tmp\setup.tmp
          Filesize

          1.5MB

          MD5

          4c8bbe16a67dff63bb5cc6db7144e0c9

          SHA1

          b71be5a00636479c12de0b64512bcd7efb11c819

          SHA256

          df444620e825ce891ad6234897b5e065fde5ab5933f4b06558daa66319d8aed3

          SHA512

          354eef1f3e8602a2350ce5483097dec3e86077d7eb03cc4dd8318e139d2be28d259e1b86f782143cf78270c2f50987b90eb2f4573a02571218d99b378937a5de

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-PFJUN.tmp\_isetup\_shfoldr.dll
          Filesize

          22KB

          MD5

          92dc6ef532fbb4a5c3201469a5b5eb63

          SHA1

          3e89ff837147c16b4e41c30d6c796374e0b8e62c

          SHA256

          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

          SHA512

          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Minecraft - Story Mode_Uninstall\unins000.dat
          Filesize

          79KB

          MD5

          27029821eeb7e399b3a635e6dda42bb4

          SHA1

          603aa45f7a1dd5c444751c9d35f60bb527803baa

          SHA256

          c1d95398110cd4e2d326a79582507676383e11bec136a0afdfce368cd43cd755

          SHA512

          d6fbe9c2d1e8533d2a233e64329607e87e2a62e85ec86bb6d287af1aa5961d7394ce6472376955bea1d463a5afec285e71852ed8f8accc209534144b19980555

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Minecraft - Story Mode_Uninstall\unins000.exe
          Filesize

          1.5MB

          MD5

          86de4cc3546f5199aa81af21c6ffa306

          SHA1

          748cf4cae15651772b0e59ed0ab08e45456864aa

          SHA256

          3d04a8989caf11dabe49a58d50e5ac47ff9acf99a439fc2f4dc767774f688d9a

          SHA512

          15eb67dd3fa8687a88ed566b7d070b51c13914db2930b0ecbd1f8b2c5f7831aeb8a68b744960d47876f447aabeaf568b109ee54c409d3101bf62eb404d31c315

          Download Submit

        • memory/2996-75-0x00000000033C0000-0x0000000003437000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2996-77-0x00000000059E0000-0x00000000059EF000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2996-33-0x0000000074350000-0x0000000074361000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2996-34-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2996-118-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2996-39-0x00000000059E0000-0x00000000059EF000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2996-38-0x0000000074350000-0x0000000074361000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2996-37-0x00000000033C0000-0x0000000003437000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2996-36-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2996-76-0x0000000074350000-0x0000000074361000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2996-30-0x00000000059E0000-0x00000000059EF000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2996-17-0x00000000033C0000-0x0000000003437000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2996-40-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2996-74-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2996-7-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3592-0-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3592-2-0x0000000000401000-0x0000000000417000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3592-35-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3592-119-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3816-98-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4220-87-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4220-95-0x0000000000400000-0x0000000000588000-memory.dmp

          Filesize

          1.5MB

          Download