a9dd76ce0eab73fbca951c5875e7f782278c541c8170ee9145884259acd8136e

General

Target

Setup.exe
Size

1.7MB
MD5

5b19b030cedda741350c22d0c240042c
SHA1

a781ba87e607518dcc4bba93fe0eadfaf161dba2
SHA256

a9dd76ce0eab73fbca951c5875e7f782278c541c8170ee9145884259acd8136e
SHA512

35778f23ec813138af3c21b44471daf61ae63ee1c7bff12e4ac84d82a4cf5e2668924097f42295f767f931c1fb86018bf94e84be4916e849ead450b5bf39544f
SSDEEP

49152:RRN24wEZ7m/ecAAE8j2tyuHr3RMMYK22v/6A5y:3dm/ecVi9r3RI35

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1740	Setup.tmp
2528	unins000.exe
2372	_iu14D2N.tmp

Loads dropped DLL 9 IoCs

pid	Process
2312	Setup.exe
1740	Setup.tmp
1740	Setup.tmp
1740	Setup.tmp
1740	Setup.tmp
1740	Setup.tmp
2528	unins000.exe
2372	_iu14D2N.tmp
2372	_iu14D2N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Alien Isolation\unins000.dat	Setup.tmp
File opened for modification	C:\Program Files (x86)\Alien Isolation\unins000.dat	_iu14D2N.tmp
File created	C:\Program Files (x86)\Alien Isolation\unins000.dat	Setup.tmp
File created	C:\Program Files (x86)\Alien Isolation\is-TLFB8.tmp	Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1740	Setup.tmp
1740	Setup.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1740	Setup.tmp
2372	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1740	2312	Setup.exe	28
PID 2312 wrote to memory of 1740	2312	Setup.exe	28
PID 2312 wrote to memory of 1740	2312	Setup.exe	28
PID 2312 wrote to memory of 1740	2312	Setup.exe	28
PID 2312 wrote to memory of 1740	2312	Setup.exe	28
PID 2312 wrote to memory of 1740	2312	Setup.exe	28
PID 2312 wrote to memory of 1740	2312	Setup.exe	28
PID 1740 wrote to memory of 2528	1740	Setup.tmp	30
PID 1740 wrote to memory of 2528	1740	Setup.tmp	30
PID 1740 wrote to memory of 2528	1740	Setup.tmp	30
PID 1740 wrote to memory of 2528	1740	Setup.tmp	30
PID 1740 wrote to memory of 2528	1740	Setup.tmp	30
PID 1740 wrote to memory of 2528	1740	Setup.tmp	30
PID 1740 wrote to memory of 2528	1740	Setup.tmp	30
PID 2528 wrote to memory of 2372	2528	unins000.exe	31
PID 2528 wrote to memory of 2372	2528	unins000.exe	31
PID 2528 wrote to memory of 2372	2528	unins000.exe	31
PID 2528 wrote to memory of 2372	2528	unins000.exe	31
PID 2528 wrote to memory of 2372	2528	unins000.exe	31
PID 2528 wrote to memory of 2372	2528	unins000.exe	31
PID 2528 wrote to memory of 2372	2528	unins000.exe	31

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\is-NG3HQ.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NG3HQ.tmp\Setup.tmp" /SL5="$80022,1126838,281600,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Program Files (x86)\Alien Isolation\unins000.exe
    "C:\Program Files (x86)\Alien Isolation\unins000.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\Alien Isolation\unins000.exe" /FIRSTPHASEWND=$40182 /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Alien Isolation\unins000.dat

Filesize
340KB

MD5
6fe683963c84bf2d047be460c5296a0f

SHA1
6a9c6175f912c288649a04795d58ecf733d7b687

SHA256
45755ec5a0b144bde93f6471ab39101f96cce2da2ec0f1d7cdf69f50a29c75da

SHA512
81158f8191cfe246a8a0c2444a4d8edfa8cbeb16e9d3b9dc666dcfde00ddc254b6932d582c57af4c823e6fedc94f9f85d991af8c9eb5841de59a5597aa17c10b

Download Submit
C:\Users\Public\Desktop\Alien Isolation.lnk

Filesize
1KB

MD5
f8875d7488aaae71677c8f20e5fcd280

SHA1
cfe6a5c4c1558d8d9a8f9a16aa4380a9c3f7bb8d

SHA256
74d3506885e8dcbf859d353bd93fca86dc6a23bbb9e334bf21f9dd7212a13ab3

SHA512
fb0385e29bacea2b53147197d4cb885ef22e246707f2aad2a4991035f2bca48be2486929af92ac724449f4e11de2d01f137dee4e7ce60fa7bb194ca39bf174fd

Download Submit
\Program Files (x86)\Alien Isolation\unins000.exe

Filesize
1.7MB

MD5
90b576de0d7025d3d12d474b1c410983

SHA1
37b3f650e9c5501ab0b5aa9f7f8bbebd74b73ec6

SHA256
4cb12b725084ba0d548f0c3ea6a1f6659f80cae50516c85071b43609620dfd6a

SHA512
15c18292603fc1a9e3bae447e7abec3a7fb2938f856c5e6a093652e84a0587d85d2ab12771ea12816b4f29e2048a0fd82f159fa574f09fa5a4bb7612ef7118f7

Download Submit
\Users\Admin\AppData\Local\Temp\is-C3QCO.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-C3QCO.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-C3QCO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NG3HQ.tmp\Setup.tmp

Filesize
1.7MB

MD5
9580bce296b052debe1fb1c6de0f0b4e

SHA1
5be0b5d1d65633738c9706c9d44fecf93b9d3ffb

SHA256
303b7847ec665c74c502c722e9d940424abf8d4cb4b3293cbf89093d1bdba6f7

SHA512
55f1dcdc0f3af3f0db90e60b78ce9dd3b4279b3a22933b3d5d7ede9841b001acc410ac784c69d1591860c905aed9263b81213afbfee7a8ea1b54a13a00573f16

Download Submit
memory/1740-20-0x00000000022D0000-0x0000000002347000-memory.dmp

Filesize
476KB

Download
memory/1740-41-0x00000000022D0000-0x0000000002347000-memory.dmp

Filesize
476KB

Download
memory/1740-40-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/1740-8-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/1740-87-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2312-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2312-22-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2312-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2312-88-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2372-70-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2528-67-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing