Overview

overview

7

Static

static

3

setup.exe

windows7-x64

7

setup.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    24s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 03:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    1.0MB

  • MD5

    e255ee9eccb6e2b9cc8d8084f0af4fac

  • SHA1

    d3762bb2d3eed8b4744f80d13481d1053732fc5f

  • SHA256

    9ce9530a0de2061b4edaeeac366665867449b8755199002dfb75d88c1d119378

  • SHA512

    1c4af74e38243d63e65f7c31c0786a1a414cc3e477ae11590323fa535ae1b82acccf172c3cd52cf319253302691aefdaf497dad32b46e828506dfed197704c3e

  • SSDEEP

    24576:esSzlEqF+hVcOD/pf5fz19poadAQiM+az/fimj:wl8eOFBmQvXJj

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
      __IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:3048
  • C:\Program Files (x86)\MSRX\MSRX.exe
    "C:\Program Files (x86)\MSRX\MSRX.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\MSRX\Uninstall\uninstall.xml
    Filesize

    4KB

    MD5

    a4007f98001dd9f230c2c04f473dbf67

    SHA1

    75a1118b9beff383c336b54e66db52b15e81181e

    SHA256

    01d61c0a7664da0c86a2582a46fe99a8d3ac33cd75a0041fa32a13bf9676e065

    SHA512

    2cad6097e170b05932da77aaae6f49ff23bf83d5abd47c1e4e29f8e774d79440842ae58cbfc7eb5a7d7f6b3c2bd72574897b7155a7c1e5e3845695649723e903

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\IRIMG1.JPG
    Filesize

    5KB

    MD5

    8e769dbe0e7cf528e30a245abb4defbc

    SHA1

    3cbd37dedfcce6d116677aa5e270dd0f471e761d

    SHA256

    4abba5414055f45d541f2d4a7d8450091c39ce4990ed0d32fb67a0625102800c

    SHA512

    63801ecc5f86882cc3a8ddfcbd155d216ca4794818c01f757e263808d4cbf7e1bcc5c3aa779cc39d93a0887995cc1e5c5836827be0ad58823d6edf9ce38f34da

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\IRIMG2.JPG
    Filesize

    21KB

    MD5

    6a89adc2be43e619aad8eb7f74b778bd

    SHA1

    08c785d89457ca66c26e6ca701f5a5326b0d8974

    SHA256

    9862fc5877f5c15df854035285df151c66e17c076b04a05d93b00bbf0d247a3c

    SHA512

    710b575b80d8f96b8b0b48e4bd61ee60a6a366fb7261bce3e432bb682360c066d2ddf622c17c1e3ff07d67942daf568db1984853d94df11eb59dfec4d9ada2fd

    Download Submit
  • \Program Files (x86)\MSRX\MSRX.exe
    Filesize

    1.1MB

    MD5

    2fae6ed57fbf6f219991ad8d88fe463a

    SHA1

    e10ae98dc13030fd3240e0302ff56bb533e1d4db

    SHA256

    abea4265eacba8836e30e853543025bbca1496ab8002a4ecaa6430fe3e10d9cc

    SHA512

    20cd9cfbc3ae868ac54db8d05e32fe527f56704ab06f00cc597c974ae17e1412b71c1d6a50b94b1107fbbf4615841a926ee2369a8b9a69bbb4b50c4c7e71427c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
    Filesize

    440KB

    MD5

    75ca7ff96bf5a316c3af2de6a412bd54

    SHA1

    0a093950790ff0dddff6f5f29c6b02c10997e0c5

    SHA256

    d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

    SHA512

    b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

    Download Submit
  • memory/812-3-0x0000000001E20000-0x0000000001F47000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1540-99-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1540-100-0x0000000000400000-0x0000000000529000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1540-101-0x0000000000400000-0x0000000000529000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3048-10-0x0000000000A20000-0x0000000000B47000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3048-91-0x0000000000640000-0x0000000000650000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3048-97-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

    Download