115b65c87ae996126b4edbc25fdd576beb6bb744922fd790d29e632ee1d9704c

Analysis

max time kernel
24s
max time network
16s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

9.1MB
MD5

09b67452bb412f9bce9a0434b69a6626
SHA1

76f16ef8ca06c97561c3f482d80607ef1d068625
SHA256

115b65c87ae996126b4edbc25fdd576beb6bb744922fd790d29e632ee1d9704c
SHA512

2643dc6407bbcf5b98647739ddf832d68963db548d405b0a75733b5aaf31ec488f0e41b1ae13f33d87b48b8e1774464d885efa1ad1ea4e515b93443f638d4681
SSDEEP

196608:OljBvaAdomjmjEKg8a6McNj1P6N5TM9cZopbOSyZmQOpQv/+:OBvaAemjmjEF6N16N5ubbyoBpQvW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2464	Setup.tmp

Loads dropped DLL 3 IoCs

pid	Process
1752	Setup.exe
2464	Setup.tmp
2464	Setup.tmp

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Setup.tmp
File opened (read-only)	\??\I:	Setup.tmp
File opened (read-only)	\??\L:	Setup.tmp
File opened (read-only)	\??\N:	Setup.tmp
File opened (read-only)	\??\O:	Setup.tmp
File opened (read-only)	\??\Q:	Setup.tmp
File opened (read-only)	\??\U:	Setup.tmp
File opened (read-only)	\??\Y:	Setup.tmp
File opened (read-only)	\??\E:	Setup.tmp
File opened (read-only)	\??\K:	Setup.tmp
File opened (read-only)	\??\P:	Setup.tmp
File opened (read-only)	\??\R:	Setup.tmp
File opened (read-only)	\??\T:	Setup.tmp
File opened (read-only)	\??\W:	Setup.tmp
File opened (read-only)	\??\G:	Setup.tmp
File opened (read-only)	\??\S:	Setup.tmp
File opened (read-only)	\??\X:	Setup.tmp
File opened (read-only)	\??\Z:	Setup.tmp
File opened (read-only)	\??\A:	Setup.tmp
File opened (read-only)	\??\B:	Setup.tmp
File opened (read-only)	\??\H:	Setup.tmp
File opened (read-only)	\??\J:	Setup.tmp
File opened (read-only)	\??\M:	Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2168	taskkill.exe
2472	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2464	Setup.tmp

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	2464	Setup.tmp
Token: SeIncBasePriorityPrivilege	2464	Setup.tmp
Token: 33	2464	Setup.tmp
Token: SeIncBasePriorityPrivilege	2464	Setup.tmp
Token: 33	2464	Setup.tmp
Token: SeIncBasePriorityPrivilege	2464	Setup.tmp
Token: 33	2464	Setup.tmp
Token: SeIncBasePriorityPrivilege	2464	Setup.tmp
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2464	Setup.tmp

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2464	1752	Setup.exe	28
PID 1752 wrote to memory of 2464	1752	Setup.exe	28
PID 1752 wrote to memory of 2464	1752	Setup.exe	28
PID 1752 wrote to memory of 2464	1752	Setup.exe	28
PID 1752 wrote to memory of 2464	1752	Setup.exe	28
PID 1752 wrote to memory of 2464	1752	Setup.exe	28
PID 1752 wrote to memory of 2464	1752	Setup.exe	28
PID 2464 wrote to memory of 2592	2464	Setup.tmp	29
PID 2464 wrote to memory of 2592	2464	Setup.tmp	29
PID 2464 wrote to memory of 2592	2464	Setup.tmp	29
PID 2464 wrote to memory of 2592	2464	Setup.tmp	29
PID 2592 wrote to memory of 2168	2592	cmd.exe	31
PID 2592 wrote to memory of 2168	2592	cmd.exe	31
PID 2592 wrote to memory of 2168	2592	cmd.exe	31
PID 2592 wrote to memory of 2168	2592	cmd.exe	31
PID 2592 wrote to memory of 2472	2592	cmd.exe	33
PID 2592 wrote to memory of 2472	2592	cmd.exe	33
PID 2592 wrote to memory of 2472	2592	cmd.exe	33
PID 2592 wrote to memory of 2472	2592	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\is-A68S8.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-A68S8.tmp\Setup.tmp" /SL5="$4010A,8675083,793600,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Del_7239.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /T /PID "2464"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2168
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /T /PID "2464"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Del_7239.bat

Filesize
228B

MD5
dc9c00d4da5f830d38d02fc897526a4a

SHA1
b2c87a784093775ed90ebbff91eb635c9fec70db

SHA256
e70c67b7747959a0e5753373307dcee2c3e23138a61eb0aa73bcfd0dd454308e

SHA512
243dc76e487e89d9d30f2edc6877668f465f642219370e32b82c1b39371dcc9251d0f337c520a4a973792de788a591c8b314b2876e3f89967be18137f18c5d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\BACKGR~1.JPG

Filesize
30KB

MD5
4b4fe9b9b8d247aa55ef199c479ed9ce

SHA1
552200cbeb515293dc6da2d3b83cb7b627610dc5

SHA256
14ba995a7cb7d6b49ea5ccbc39ab41e2af81987a3521e368797790a2f42274c5

SHA512
3f91c38d26d98a5bf9f212fdbb5ab468fc1a396765f35980574bfc4632aacd2ef756a4cb50a043cdd0bde8131eb65bebafc03375a4a37abf5abf71f2b0fe6b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\CLOSE.PNG

Filesize
227B

MD5
4b4239fb8d4d0e66f7dc5454a0632d24

SHA1
6157db213cae7c085932741741a3197a6d318a04

SHA256
a7a5fd560851b8313cbfbeba9c51ae79da24d14e2e28b170d358194dc758480d

SHA512
981f8cdf36413f7b395eebe011788fb6fc73fa1721b02d773e3eb8b126d393dbcc83a0d9812cd1afb83180e90495b87a6c3d42a12efe032922e93a2b37ea80ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\CPU.PNG

Filesize
1KB

MD5
8575415852fe3df8b95356ee122073b5

SHA1
e9086af64c2476023610bbf30dfea25293e7c581

SHA256
d8005183b887ed1c5d8cf1aeffec61566c5320e7cd79c2bf45a6afe55c7acb95

SHA512
fcdfd3c7b442cde887574365b8bbc9710bedd17555088fce3b856422bef262986bc1cd807a4f4834cc52fe94b291bc9e5710a9fee2c8c9d766a210a9e7b4a722

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\EQUALIZER.PNG

Filesize
7KB

MD5
5b5c61732fbd33b146919b917dfb62cc

SHA1
98400d765c11c1b3fa530597e0bca23dc84e0c47

SHA256
18bb36c1dd1a4b322536b89d9501d64eb55a7275f15c4ee2aec9cbc35df9dd95

SHA512
334872916d97a19c02e7344dc1941e2cf2e4e9f6052416e24ddcdfc875a754a72f7f3bd1534825444b1224046f3f15dad71c7d98a8119b60798c968f3127253c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\EXIT.PNG

Filesize
1KB

MD5
38c14236959f826c823cc21315c5d782

SHA1
bfafa48c7eeb2196b5c53d055efee8cba407e9d5

SHA256
61be0025cc13e683d0e9f4cf3d2a64a15e37ef1e81f245a5ac42da5e99694c5e

SHA512
b1dc1246e6d6f4ca7d819f7633eef172d6569d59449292005423584a36516175be053018c3b7c3160460533a892f4e2229342a9d5cf9e1526004332cd2f57efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\FONT.OTF

Filesize
65KB

MD5
c7e41a916e1418da8694a1be6847380b

SHA1
12e5ed5a16c7d3f5dcf243263338e52dc32f6111

SHA256
af9c5ac95fa5cb2bb0977cee10800c88a5ab4ab0750f663f08003740372257d4

SHA512
77c2c75edd141c67a7b734117cf1b6c38795c4004005abfd8226d8965a1cdbeabdd475a1a22bfc81ee78130364d6f61d44a48f23472fe2b16a067417a9caacf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\GAMECO~1.JPG

Filesize
55KB

MD5
a6d640dc955163090abe436c1a20bcb3

SHA1
6e201050e3d59fe1cc9e213181d3edb851199f1d

SHA256
9cd1c206274759b537e6681c065775c75940bd76b65f136da89f5c019e23ef84

SHA512
20be051a349ec24421614db404cd228f0ff9458bfdb54533c697d6400f4ee8bcad47cc96d20e97526a34db019a5dda512abf497260c945baaaf5b0c7bb983905

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\HDD.PNG

Filesize
2KB

MD5
973db78ca95b4ad343312073054ca64f

SHA1
2529d24a15cb4d94bc31a83556a33472166c5b0b

SHA256
11e2a7ea4b06c10582aeae8af2816c4601231ff835b3b15db8173fac8a2d9421

SHA512
82b5106c304daf2f496c2505fe4c1a3e92a460cb7136b2f75b773960eeee12ff643a6ff52f2bf1993f829858c4ebfe358db0fb4599786cde54f170f5fff12fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\KAOS.MP3

Filesize
2.4MB

MD5
212a982e72a3f8656f79f3cde739a3db

SHA1
a24e0c5c63aa67dfff7af1ca3e537cf680acdd5c

SHA256
94efe0140a25f8f8a36a77742513880e060a0952753f6359ff3cdc93f4146b73

SHA512
f1e14f63767cb115cfb62a2fe331501c3aae301a1ea023e1c6a70dcbf0c84a48b8fce70ae29cddad0fa735f9015aadbcaa9a141ed8e4504d63be0fdfb86b5d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\KAOS~1.STY

Filesize
2.2MB

MD5
b8bc0b70c51f71963062f3f99c7db80d

SHA1
657d136b538b4814be7976cfc222ee85dfd501ca

SHA256
41c84109cdeb7d6f84fcba944196347fd72c3299f306181eb677219c18b6eb6f

SHA512
fa62e97c730f6f99839b17128d62bb0c8900b74e3831c9f7c91313776ec47f297b0c7bb40ef2cee7fb516089ae94430c2d29f5df402be9335b7c316986ac09ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\LOGO.PNG

Filesize
52KB

MD5
5c3a4e2754dac7ef44f52d5b515bc14a

SHA1
0061ff7cb7b7602c7b2d185df695ec966034edef

SHA256
2aad4f2bce954f2daad808ae6abc876f73738b8465ee69d55e5f519303ccaa43

SHA512
067de2ffdbf5313a7abf5b6998d2189f186b4aaabb81d13f2a83cb09e415ee16e7c048270340aae34a3860ee2c93058e85ec8c73d518b95f3b2b18e3edcbd7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\MIN.PNG

Filesize
88B

MD5
950904bf85cc3247e50dbeab865ef456

SHA1
2861ed97149994abd6cd9776beab9e2b5cd6e64d

SHA256
02abca40bb11aa89368558d2476fa8544fffeed242d956282e093f3290de550d

SHA512
b325f2d1c39d72980d0491c843a334177b03d901e29d79a2b6ada519ad54667920b4b4a41f91d23e7bce56655b50cb35f0149403d694cb444ed9ee7ec462fa10

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\PLAY.PNG

Filesize
1KB

MD5
a57acbbdd8e84c1961a9b327e97c7504

SHA1
22369e704d1f35c051e1f33f9e2f7ed76a1ef9a5

SHA256
e74c73b1367c068681f5ba8c062bc19d1d0135a8d429f62c2159686790545ee9

SHA512
6057affa15c052b59c8408f3081a3c750dcd1ea67936cdce733123985d41ac963528b4e58b61dc71632763b8609c71c1110c448a457405633ee3c82e0a387f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\RAM.PNG

Filesize
1KB

MD5
ff1e994a6968be3ce44d532644a81cec

SHA1
bce6015a59e2a6bea56ba8aa8fd03346a37946b3

SHA256
a639180903c8439efc3ed3b8c1569f318bd0a123638800dca0c5eac328d84fff

SHA512
27b4dd307276b9d6cbd3dea4a3bdbf8c84a304aabae1ddcf82e9bf83f6295cb924823813d3b973cc62f9bac5c5da3ea50e37f8f3997bdf5dcb9d6a30c77dcdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\WEB.PNG

Filesize
2KB

MD5
76c3076ba3fa006a7dacad9fc25610ec

SHA1
1cecac07e36b12b1885b9084313b25541e29fe5c

SHA256
8e758a2720a7bc92c8b004a0e13f75416dba7a110f93ba68e1adf956883a234d

SHA512
d7daaa2748ec713b10f856e63f5bbc2c791e7d780c5ca01e5ec569bc1be17206c477284963d6be786ed9e7bf06ccbdec010f13d900530ed99dd745d683466678

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\__CRED~1.TXT

Filesize
1KB

MD5
3427717f56c0a7b6b14cbbb377590aa3

SHA1
c6c2d23d6c65717efc126cd60c4b4b91a275543c

SHA256
997e86d11a11b475d20229ad32b902fb014d0b2623fd58de4298e3d8275215c8

SHA512
6681d5f987ef80a40fb118bcd9283d573b0ccedbfc3af5692b36f12bcaa7c81cbb7b95539f470e19cb705c10d7800f41ea82d5793f13655c932315ade74281bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C683P.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
\Users\Admin\AppData\Local\Temp\is-A68S8.tmp\Setup.tmp

Filesize
3.0MB

MD5
11ef39deb0bb3c7d52ddafe1fe980ac0

SHA1
f6e2c95ca051dfdc82ab01b47ba7e77faad3a0d0

SHA256
09d0e4b07a1fcba27ad7d3fa6fa9ed15f5423efb8769227379fd0d53676f293d

SHA512
75fbda74cf65c186b2e83a97046fb635cc40d022a196b66aeb9875c6caf0955e49ee4435b56396b2bd00082f0911aeb0b05abb8ee6520cb2aaad0a4ace37ea07

Download Submit
\Users\Admin\AppData\Local\Temp\is-C683P.tmp\FMXInno.dll

Filesize
2.7MB

MD5
13fc1579c8e79e1364c1a676a3e15f05

SHA1
3d5e6eb96d71d2e36fc91cf467deec148ae6fa45

SHA256
25749b0a49c6708c4430cd3481848473bb06a258f2886877eea615f3e9430a9b

SHA512
52929df4e5990c66057e08b8e26e26bb16fe6d98c8a1b3c143a5e3f3353635267999226716587c0acabb3880397deba34add5e43c22143a63523bb4a5a16e732

Download Submit
\Users\Admin\AppData\Local\Temp\is-C683P.tmp\ISArcEx.dll

Filesize
177KB

MD5
e592358d8957f34c2af1b0d3cb25355f

SHA1
7f436a030bd86e8cea5a81998648d332856b52be

SHA256
a752752e4dcabf674760bd79dbb3324888899f46194c677985aef13f7939df73

SHA512
1d1496b7273689db0135629f426cbc73f61d93a9c0bba4a78424e835ddf83bfcab3abb5ac2d2ccd45210efece6db7cc9b6100a43861d168a694d7f2ff723c90e

Download Submit
memory/1752-116-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1752-0-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1752-141-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1752-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2464-91-0x000000007E680000-0x000000007E690000-memory.dmp

Filesize
64KB

Download
memory/2464-139-0x00000000729D0000-0x000000007360B000-memory.dmp

Filesize
12.2MB

Download
memory/2464-137-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2464-127-0x00000000729D0000-0x000000007360B000-memory.dmp

Filesize
12.2MB

Download
memory/2464-125-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2464-119-0x00000000729D0000-0x000000007360B000-memory.dmp

Filesize
12.2MB

Download
memory/2464-117-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2464-118-0x00000000036A0000-0x00000000036D6000-memory.dmp

Filesize
216KB

Download
memory/2464-106-0x000000007E660000-0x000000007E670000-memory.dmp

Filesize
64KB

Download
memory/2464-20-0x00000000729D0000-0x000000007360B000-memory.dmp

Filesize
12.2MB

Download
memory/2464-13-0x00000000036A0000-0x00000000036D6000-memory.dmp

Filesize
216KB

Download
memory/2464-8-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download