Overview

overview

1

Static

static

1

Set-up.exe

windows10-1703-x64

1

Set-up.exe

windows11-21h2-x64

1

Analysis

  • max time kernel
    79s
  • max time network
    81s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17/05/2024, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Set-up.exe

  • Size

    7.3MB

  • MD5

    41f159509017d234e08eb4f820bab935

  • SHA1

    1c27a70f922a95f66f58d8e4b7e91d92c84da6e3

  • SHA256

    4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31

  • SHA512

    0fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab

  • SSDEEP

    98304:wz16s9EwkidrwQwPdz9u/ZZmDZJErFXQbZT7wIX025:wz16gBrd3gu/XmDZiF0t5

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Set-up.exe
    "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    PID:4024
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2200
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4660
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.0.521979320\113767181" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcf83735-49fd-4206-af2f-cc9e2b7519fc} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 1796 214a2fd3158 gpu
          3⤵
            PID:3156
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.1.1039364302\1536520070" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da3bd5cd-7461-4b8c-b037-a94187e63b57} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 2152 21497e71958 socket
            3⤵
              PID:2152
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.2.748684756\1704320123" -childID 1 -isForBrowser -prefsHandle 2804 -prefMapHandle 2784 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {514a0ac5-fc24-40b5-ab2f-7bf18ee20b03} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 3008 214a729b158 tab
              3⤵
                PID:1660
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.3.1860909524\1715063878" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3480 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e86e5f0-1817-4c5d-8864-b51101aa1c33} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 3496 21497e62858 tab
                3⤵
                  PID:2956
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.4.1713360030\866374394" -childID 3 -isForBrowser -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3da78689-3ba7-41d0-8667-13b764d8ae02} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 4188 214a8eba558 tab
                  3⤵
                    PID:4272
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.5.464141042\164405622" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4876 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f325c59d-4a9c-4ad8-a1dd-10db8daba45b} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 4868 214a5680458 tab
                    3⤵
                      PID:4108
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.6.1880763044\48219471" -childID 5 -isForBrowser -prefsHandle 4952 -prefMapHandle 4956 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dcab834-358a-4a6f-b6d0-f49da927acd4} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 4944 214a95a8258 tab
                      3⤵
                        PID:3636
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.7.1555330623\335732334" -childID 6 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce213da6-4221-487b-a70b-025c6d2e6584} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 4916 214a95a6a58 tab
                        3⤵
                          PID:4716
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.8.1117274040\1666201227" -childID 7 -isForBrowser -prefsHandle 5596 -prefMapHandle 5628 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cfca5d4-0cd3-4b78-b1a5-dec054ea0149} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 5588 214aae3ac58 tab
                          3⤵
                            PID:168
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4660.9.388467068\494258242" -childID 8 -isForBrowser -prefsHandle 5464 -prefMapHandle 4848 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25ccc90d-7884-49b4-8c4b-faf500fd500d} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" 5660 214a8818b58 tab
                            3⤵
                              PID:3804

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
                          Filesize

                          2KB

                          MD5

                          c1ec37c5d5da194f7f65f2ba5c78118d

                          SHA1

                          c1f34d34d15b3e5eef3bd64868716bec02494ce7

                          SHA256

                          0d1befaa24e9821059936f3d63feff8344304868b67b88f769fb1b65b6fea24b

                          SHA512

                          f6e88c5dc0c56d2ed8c637567064d50071de320c1a2a1cde2020bd41e0eda08a6f58a60ba80e06d2d34373a8daebaa01baba1de0201e293de134c8d96e821818

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\6c366798-d17c-4084-a732-71ae55771658
                          Filesize

                          746B

                          MD5

                          4713440bc9ca8bcfd6b6df98f0ea78dc

                          SHA1

                          7faad0c7393110702c4fb48822d861b977e4d447

                          SHA256

                          6dcba2093ee9badf442bedcf5c4a6be465d71a01bed17e6c046e979407726eeb

                          SHA512

                          de78cc9fa4c15bdb5d1464459ad179c3ab2e07358908eef70e419f088f6f02240fe25294eb029ae08810f157cd106bf2792e82ccf1b503be0a367b58e744eb1f

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\b623db26-3950-4a3b-8c54-c7acc3771c16
                          Filesize

                          10KB

                          MD5

                          f39ad2bb0ef6d8d0aa0508f4e39698db

                          SHA1

                          45db8a556b0a8a7e37712c55e6d0451b08044e72

                          SHA256

                          d200ba79bd3973b0bdcbe02666be22f8184f2791731cea2604d1a2f3e25db5e6

                          SHA512

                          5ba5ee0851d95ce9f816d75c9f68ac806f44e41f4223aa1e3ee69b0d321552450060502ae10fc938ab493964bf8312c8dfee191b65910142e5bd0a9473fd8090

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          da2d4f0034d005f91f260bb53f253c9a

                          SHA1

                          a266a41683dc66129009232ca570509bff293f46

                          SHA256

                          4fa740824859ac526f8839f87e9b069a6b51b76e578eb5ee6be364eb6e75aa7f

                          SHA512

                          9064e6b89ee3b1abe878a77d0474e1ab3805389913f6c746bd0e2736ee589b2977f62a0461f2f9225ca3198a0fc445dd0c050efc13bcee721da031ca444e868f

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          30312316b41a876c640a746b079fcb82

                          SHA1

                          7c4917b3e503112034b4ad88f4b4962ecf9037f9

                          SHA256

                          c22b4e017081a76a33544595d1e4833359d197379439a83251345f5a0c6a764e

                          SHA512

                          84e21fdd321c19941c1aca80d035b93f4562a3c1aae42f5702f42dfba3a10af2cc13c745208bd01c63eadb06ef2c82dbd9c3bd1f580c068caf6cbfbdc3032171

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          77a2d027fc6378d6cbf158dd06dc6b75

                          SHA1

                          2e4a05fd383534a61d5375b12bc8002cb3f4356d

                          SHA256

                          a3baff6fd95b9190407646b467c0576a04e11a27de5efcd621594c2a5e195331

                          SHA512

                          df523086c5fc9eb45095cd664b012bf51378c64bf91c0e91e213d0fea3eccc362762bb7491556df0b9db76e0444c9fc7390a5c6aefe0c6d53f1304118c5c36b1

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          3KB

                          MD5

                          41f55839dea81cc01abe4bedbb02702d

                          SHA1

                          b5723113ebe9434a1ae439a9798a26a8af64e910

                          SHA256

                          781339868fdae7a2fc6831e69b1a58b3ec49e0e9f304d99ac503f705482d88ed

                          SHA512

                          8f28c026c30698e1b2d56ae573745eb5bd34b1c83df968671a0dd6201b2ce845147c23a3f27a878c440ce73cb0bb7d90c4670bfb9726225e84ae28c8c10f2346

                          Download Submit