fa33a79cef198b9720dcd8c28a345e5532a6bc8c9b79db6640a2a5f6ad56ef82

Analysis

max time kernel
604s
max time network
1587s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16/05/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bindu Software/setup.exe
Size

136KB
MD5

ca4d56abba85c97023f2e236dc82c4aa
SHA1

5c4be7cef4082adae0e187ec140c0f10dd113260
SHA256

7052d75548d0f34e290baf29aa7281b44b4eb38327a9078354e15a3dc8749da4
SHA512

42b895b8ca244d4a5dc3b662f6379073c8ee893a3a56b0e77b9eca3be4c3242bcbc9f97a2cf2432109c13fdfa842e2d73f14c7d1b328b4f6a000202af8215562
SSDEEP

3072:WARAEzUI3AOGfte0D9P9HjT0rIm7f1dZJZgJIK/J:WARdb3NGfYm9VTwImJdEX/

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ST6UNST Uninstaller.LNK	setup.exe

Executes dropped EXE 1 IoCs

pid	Process
3032	Setup1.exe

Loads dropped DLL 1 IoCs

pid	Process
4912	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\temp.000	setup.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\WINDOWS\SETUP.LST	setup.exe
File created	C:\WINDOWS\Colorlab.CAB	setup.exe
File opened for modification	C:\WINDOWS\st6unst.exe	setup.exe
File created	C:\WINDOWS\temp.000	setup.exe
File created	C:\WINDOWS\Setup1.exe	setup.exe
File opened for modification	C:\WINDOWS\Setup1.exe	setup.exe
File opened for modification	C:\WINDOWS\ST6UNST.000	setup.exe
File opened for modification	C:\WINDOWS\Colorlab.CAB	setup.exe
File created	C:\WINDOWS\ST6UNST.000	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00020412-0000-0000-C000-000000000046}	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3032	Setup1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 3032	4912	setup.exe	74
PID 4912 wrote to memory of 3032	4912	setup.exe	74
PID 4912 wrote to memory of 3032	4912	setup.exe	74

C:\Users\Admin\AppData\Local\Temp\Bindu Software\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Bindu Software\setup.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912
- C:\WINDOWS\Setup1.exe
  C:\WINDOWS\Setup1.exe "C:\Users\Admin\AppData\Local\Temp\Bindu Software\" "C:\WINDOWS\ST6UNST.000" "C:\WINDOWS\st6unst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\VB6STKIT.DLL

Filesize
99KB

MD5
cff867572b44212b01b711c1fa009537

SHA1
3978c9f7a3d77c0bdff4353949e2143757eebc79

SHA256
df6e2f111773adec3b33dcb0b31e2a4d21ef7d51740706335f411e2c999c0e6b

SHA512
1b77ef24b1efb4939e4625deb1f8ebccc3c2edbb49b412dadb8a3c293a265c77ea84d8eb725d3af5bb84d9c040a91debe5890f57ed8750147e91f30c1a0630c4

Download Submit
C:\WINDOWS\ST6UNST.000

Filesize
1KB

MD5
89a49fede5aebfa81bcf3de6a7a29795

SHA1
2be9c8a9401dfd5befd5749226f5ab4db79a65a3

SHA256
570f01b32179a37433ec7d03a0e228d1f30261a0977bfbe81b07bdfc0ad39849

SHA512
bedfd53ae47b1a77968bcb61adfdd5b5df624a947ae30161b125c1ea1c735e0b555340a4f95e626cc7d334d1957332587f0e5b461e868a42e97392aa35b814ec

Download Submit
C:\Windows\Colorlab.CAB

Filesize
13.0MB

MD5
ebeb3178cd87b4a6467a7fe3a33246bd

SHA1
9e360dcbdf64cb9eca3cb57f82f59e27c00813fd

SHA256
790753321d9e37e2fc44e1e1b06b954e7aa1e818cf7c1eda205a401fadc1bd8e

SHA512
103597f3860e7789dc7e4a55f7358f6ab8e53803e6ef76abec6170ca25d038390fc5811c038a3bbfc03368fe106761270aef536b041b12a3a86a2538924e9a99

Download Submit
C:\Windows\SETUP.LST

Filesize
6KB

MD5
b47319327b5336268ec5b35323cea603

SHA1
4821b477c644948dadc2034fa172b641e6929a52

SHA256
94f9422d8848591fbfc29ef95e854db4bdbe44d63cbd3a87fddafb690201a077

SHA512
6e67979449a9fa75dc5ec97ba4ccf4257ff14362d5e7417b2738348879fafa35ba7a829f49d5b5fc4b7713d5554081733e32f1b6cf6a2c773ed2bf7481f426d5

Download Submit
C:\Windows\ST6UNST.EXE

Filesize
71KB

MD5
d422839c99927db561f5c019643eacec

SHA1
e6c1322baebf818092af991de744ea1081cfd062

SHA256
b7f9ba5ae3a6590a0e08117f90825e4076e295ab407b85c2ed42a20df478df83

SHA512
1025b96bfb2d21da0289524e45b88a46e944f38cf7fec0abfa58e57d39515b8e399d8311a94c0566ba0774b0c2fe0bb6a478a8544469a0696c1b618bb9c66e7e

Download Submit
C:\Windows\Setup1.exe

Filesize
244KB

MD5
b9917fc4c836776765e311fff84dd534

SHA1
63cf6b3992f2058f6a5995293e1017627569f8b5

SHA256
4c7ea1f0b856125a1316e7dd19a2702de959a048fc9f2556ec3de351067422b7

SHA512
f092cdbb595814f58240451017f1f392ad18b4dad931694937f46936062579edb01bbd3f0b515c2e3dd1c31afae78af5090433c1a72e07e16b5970a76c647b0f

Download Submit