637eb46a202d47a1e7f8ecc0f328d6b1a8131ea31f34a4cab018d58cadcb37e3

Analysis

max time kernel
90s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

12.8MB
MD5

221894fa63d60d5922c9c4a437bc4650
SHA1

dbcad79537bb4dea49456b00447ea744268390b9
SHA256

637eb46a202d47a1e7f8ecc0f328d6b1a8131ea31f34a4cab018d58cadcb37e3
SHA512

451f25df09df15637e2eafa0a948300b04c3b99234d3120a7c540162d8f05d83173e8d4422657194240048a10b6541d7417fdb062033fb0c0a8029b7045ca57e
SSDEEP

393216:2RPBKkklwTnfpkyvinOVkbr32faMd5PNO:CP4kkl40nOVc6yMvPNO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 1 IoCs

pid	Process
3672	VMSSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4048	Setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 3672	4048	Setup.exe	84
PID 4048 wrote to memory of 3672	4048	Setup.exe	84
PID 4048 wrote to memory of 3672	4048	Setup.exe	84

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\VMSSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\VMSSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VMSSetup.exe

Filesize
1.5MB

MD5
f9ee75ff641ea4162046729da1e1dc1e

SHA1
e74c7f8a19b58f89c90cf208a4ec17b77cb586a6

SHA256
b425e3d94862c4db18bd03dd15f3bcc7e32b2ddadc0f201d5caba3d88d5ab819

SHA512
fe18779c9a1bae6c43f2a5033a5d095bbe900e20ccf5f51f8e674e5191d5e06516970dc244eb457fb8e77124277f6dd7c6e10f67d436b92d9fd79380cb71a7b0

Download Submit
memory/4048-0-0x00007FFD98823000-0x00007FFD98825000-memory.dmp

Filesize
8KB

Download
memory/4048-1-0x000002744D2E0000-0x000002744DFAE000-memory.dmp

Filesize
12.8MB

Download