36ee67ee4e77ec87ee989e9361c15de0af7d26260d2b34ba2a88168090ff4045

Analysis

max time kernel
89s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
03/06/2024, 21:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

#!!SetUp_4474_PassW0rd$$/Setup.exe
Size

15.1MB
MD5

f95295e7fb1c1fd784e313c40a365bd4
SHA1

883817e53e267514a165f4283fbac1e7f336800a
SHA256

511928e61ab1a01e2ba9b0396042ee894498376d31c83288c7f4c260e6b40193
SHA512

324ea90cb92fc5ae5527a497851bfc4dae8a39f3719a5b8cfb2c606db62b033ed910de2d903107491642c74a5e60f7e3fe340d9f7b77e79a0f3548d7ef79c74d
SSDEEP

393216:IUnJ8okoHRsrQxYi6n4BIV4E1xWCXbH0ZH3P:IUniFoOQxYbn4BINvWCLIH3P

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3260	Setup.tmp
3928	Setup.tmp
1156	UnRAR.exe
4504	DPMHelper.exe
2456	DPMHelper.exe

Loads dropped DLL 21 IoCs

pid	Process
3260	Setup.tmp
3928	Setup.tmp
4504	DPMHelper.exe
4504	DPMHelper.exe
4504	DPMHelper.exe
4504	DPMHelper.exe
4504	DPMHelper.exe
4504	DPMHelper.exe
4504	DPMHelper.exe
4504	DPMHelper.exe
4504	DPMHelper.exe
4504	DPMHelper.exe
4504	DPMHelper.exe
2456	DPMHelper.exe
2456	DPMHelper.exe
2456	DPMHelper.exe
2456	DPMHelper.exe
2456	DPMHelper.exe
2456	DPMHelper.exe
2456	DPMHelper.exe
2448	Null.au3

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 3104	2456	DPMHelper.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3928	Setup.tmp
3928	Setup.tmp
4504	DPMHelper.exe
2456	DPMHelper.exe
2456	DPMHelper.exe
3104	more.com
3104	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2456	DPMHelper.exe
3104	more.com

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3928	Setup.tmp

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 3260	4684	Setup.exe	81
PID 4684 wrote to memory of 3260	4684	Setup.exe	81
PID 4684 wrote to memory of 3260	4684	Setup.exe	81
PID 3260 wrote to memory of 4892	3260	Setup.tmp	82
PID 3260 wrote to memory of 4892	3260	Setup.tmp	82
PID 3260 wrote to memory of 4892	3260	Setup.tmp	82
PID 4892 wrote to memory of 3928	4892	Setup.exe	83
PID 4892 wrote to memory of 3928	4892	Setup.exe	83
PID 4892 wrote to memory of 3928	4892	Setup.exe	83
PID 3928 wrote to memory of 1156	3928	Setup.tmp	84
PID 3928 wrote to memory of 1156	3928	Setup.tmp	84
PID 3928 wrote to memory of 4504	3928	Setup.tmp	86
PID 3928 wrote to memory of 4504	3928	Setup.tmp	86
PID 3928 wrote to memory of 4504	3928	Setup.tmp	86
PID 4504 wrote to memory of 2456	4504	DPMHelper.exe	87
PID 4504 wrote to memory of 2456	4504	DPMHelper.exe	87
PID 4504 wrote to memory of 2456	4504	DPMHelper.exe	87
PID 2456 wrote to memory of 3104	2456	DPMHelper.exe	88
PID 2456 wrote to memory of 3104	2456	DPMHelper.exe	88
PID 2456 wrote to memory of 3104	2456	DPMHelper.exe	88
PID 2456 wrote to memory of 3104	2456	DPMHelper.exe	88
PID 3104 wrote to memory of 2448	3104	more.com	90
PID 3104 wrote to memory of 2448	3104	more.com	90
PID 3104 wrote to memory of 2448	3104	more.com	90
PID 3104 wrote to memory of 2448	3104	more.com	90
PID 3104 wrote to memory of 2448	3104	more.com	90

C:\Users\Admin\AppData\Local\Temp\#!!SetUp_4474_PassW0rd$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!!SetUp_4474_PassW0rd$$\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\is-AEFOS.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AEFOS.tmp\Setup.tmp" /SL5="$4021A,4613118,799232,C:\Users\Admin\AppData\Local\Temp\#!!SetUp_4474_PassW0rd$$\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\#!!SetUp_4474_PassW0rd$$\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\#!!SetUp_4474_PassW0rd$$\Setup.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\is-3A44L.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3A44L.tmp\Setup.tmp" /SL5="$4021E,4613118,799232,C:\Users\Admin\AppData\Local\Temp\#!!SetUp_4474_PassW0rd$$\Setup.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Users\Admin\AppData\Local\Temp\is-VDNG3.tmp\UnRAR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VDNG3.tmp\\UnRAR.exe" x -pVX#YC6 -o+ "C:\Users\Admin\AppData\Local\\Securityupdate_USv3_x86\\config\\\DFXCGHVBJKNM.rar" "C:\Users\Admin\AppData\Local\\Securityupdate_USv3_x86\\config\\"
        5⤵
        Executes dropped EXE
        
        PID:1156
    - - C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\DPMHelper.exe
        
        "C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\DPMHelper.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Users\Admin\AppData\Roaming\kcd_server\DPMHelper.exe
        
        C:\Users\Admin\AppData\Roaming\kcd_server\DPMHelper.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\more.com
        
        C:\Windows\SysWOW64\more.com
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\Null.au3
        
        C:\Users\Admin\AppData\Local\Temp\Null.au3
        8⤵
        Loads dropped DLL
        
        PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\DFXCGHVBJKNM.rar

Filesize
3.2MB

MD5
764d7c6f3e8ea8e4c6abdb094ac4c343

SHA1
4ddeffc0f782a673be7ba4fe75ccec10ae22582f

SHA256
9168908ba3c9e8ff408bd26a7b24f98e2cf911c60cbb8fb19ba53e402d9d0ed8

SHA512
54f6e010872dc35ffc39e2e75695f19edcc8389c6d322c3e3df945813c38ca8f0f8ad9089dcdb26fc2bf4023141565b10d08e7613fc930185a5c063a86772486

Download Submit
C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\DPMHelper.exe

Filesize
2.3MB

MD5
5d52ef45b6e5bf144307a84c2af1581b

SHA1
414a899ec327d4a9daa53983544245b209f25142

SHA256
26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616

SHA512
458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48

Download Submit
C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\crayon.iso

Filesize
36KB

MD5
af2c0828351a8fac45c38b88fd08f95c

SHA1
a27910922a2d9c5536e459460960f517e6432def

SHA256
a1ff04f21947897b38a05cec12a91bfee321041460c22acd95c73912c61515a0

SHA512
9f9d2b451b296372e78eacb6191ad1b0240f9a538f3225feb7d44431dbbdef7ae6ffd9db8681bc6ef6151c7c2943a9b40b96207b873f828cd5362aa85feb1f95

Download Submit
C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\madbasic_.bpl

Filesize
210KB

MD5
e03a0056e75d3a5707ba199bc2ea701f

SHA1
bf40ab316e65eb17a58e70a3f0ca8426f44f5bef

SHA256
7826395127e791a883359ea81308174700da0af8052cc9853b19fd29c2e4badb

SHA512
b0a3cfb6b34832f048fe0fc70c6fa76ae16a2cacda930f6529a83a967d6e8de1c69b93e0de3dc2126c5385d85e814687e695a0a4131399a69633141cad98da2a

Download Submit
C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\maddisAsm_.bpl

Filesize
63KB

MD5
ef3b47b2ea3884914c13c778ff29eb5b

SHA1
dc2b1fa7c7547d8f1ad3f20f9060f7bc686118e0

SHA256
475f7cdffd8ed4d6f52bd98ae2bb684f1c923a1be2a692757a9af788a39b1d87

SHA512
9648d951d8d3640436c8029fd0f06786f7ff8f52191cd6959569c87868bb6c40ac8c7e495c09377a8a5c85e8d3942551c37eb84e916b5c16327d8d43a167820e

Download Submit
C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\madexcept_.bpl

Filesize
436KB

MD5
04aa152bede174499d61d82ee88b52e0

SHA1
3721ddd493b1229f106935b9fc9bbf36eb07d967

SHA256
b6689a25dbdffe1aacaefc1ad10b1e5aec8ebb55b00e4cc00b7a8cc6f589376c

SHA512
2f1ab2c5c3f1e85ce14dfa43fdb6c2096aa069a5a27aca0b61f2de8beea19ece254fde5afc8744e78be96c75e87ce3678b69c91725c206b4d1b7cef057457016

Download Submit
C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\outtray.jpeg

Filesize
1.3MB

MD5
d22ec68271d07acc7b82bdb4aa1c067f

SHA1
f2eeb4f64675569f36dde029886813ef1df0319d

SHA256
1c5ed3e90dea97cb2b6f66865baad3e618c160378f7234d507e9ebc99a430446

SHA512
b1e5d13264a95a07bf6663ee4439f5a0d1ce960bfee676aa79a656c3ec9fe519b3e79447a9fa56059b94daf9e0c4742be7b786016dbf02b1a9903c6670843677

Download Submit
C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\rtl120.bpl

Filesize
1.1MB

MD5
1681f93e11a7ed23612a55bcef7f1023

SHA1
9b378bbdb287ebd7596944bce36b6156caa9ff7d

SHA256
7ed5369fcf0283ea18974c43dbff80e6006b155b76da7c72fa9619eb03f54cef

SHA512
726e8f58648a6abaf1f2d5bebcf28c1d8320551a3b6e7eef0cf8d99f9ef941e30e7004c24c98e9b5e931a86128d26de7decba202390665a005e972dcbe87ab93

Download Submit
C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\vcl120.bpl

Filesize
1.9MB

MD5
13a2734bb2249010514386ebc856b8da

SHA1
8f6e3b30f30a5bba9bc6baaf8f440e085a6a568a

SHA256
713c21d009000d504d9bcf3ce95d50e74d3933083783de144db0a16e2425ebcc

SHA512
2f108436fc1a03591802ff6b8c6ac1de1c0388b2a2a6f8839c10b5f0ec06b66775f261da4ace05fa367eb46b5be533949c092e113fe1270adedb9cb8c34ba2dd

Download Submit
C:\Users\Admin\AppData\Local\Securityupdate_USv3_x86\config\vclx120.bpl

Filesize
222KB

MD5
3cb8f7606940c9b51c45ebaeb84af728

SHA1
7f33a8b5f8f7210bd93b330c5e27a1e70b22f57b

SHA256
2feec33d1e3f3d69c717f4528b8f7f5c030caae6fb37c2100cb0b5341367d053

SHA512
7559cdf6c8dbea052242f3b8129979f7d2d283f84040f1d68ae10438548072715a56a5af88b8562aeea7143194e7c5bddac3fdb01ded411a0b1cac9f0c6eef3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Null.au3

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1129ad1

Filesize
1.8MB

MD5
4b6a0f0d22998b2754df8097f8cbd233

SHA1
e79906d710472f5137d1e233d3cf7d109ac7d74d

SHA256
41ab349973f7cfc6f08171571e0d25bbc83b04d88927f21cac56bb8b499b5cbb

SHA512
907046f08953dcc1f1d1a0cfe591afa63330c26d2290aede3ac3a37066e1e7c57b428b3cfb8aa6bbeebd8a98f5ac81a98f561a389325e2bab62368225f9a206e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AEFOS.tmp\Setup.tmp

Filesize
3.0MB

MD5
0b64ca6aae7885492b4a157b56920219

SHA1
659e223d3428ec5c660f72ca595d15b731fac456

SHA256
2c444c5df4812e4e47d143382579aad4ecc4e2286de0ed0e4cd3214a8a065b27

SHA512
b09c6e979b3703df19614d7e85b3cd33be526acbc823e5d1a6ba58162adf6ac3b687b98d31aa348b0d412d16b642bd3289e0e25ca43bc8f03cc9f7cea53a1e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IVUBA.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VDNG3.tmp\UnRAR.exe

Filesize
494KB

MD5
98ccd44353f7bc5bad1bc6ba9ae0cd68

SHA1
76a4e5bf8d298800c886d29f85ee629e7726052d

SHA256
e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

SHA512
d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

Download Submit
memory/2448-136-0x00000000000F0000-0x0000000000149000-memory.dmp

Filesize
356KB

Download
memory/2448-137-0x00007FFF34EE0000-0x00007FFF350E9000-memory.dmp

Filesize
2.0MB

Download
memory/2448-139-0x00000000000F0000-0x0000000000149000-memory.dmp

Filesize
356KB

Download
memory/2456-116-0x0000000075190000-0x00000000751E4000-memory.dmp

Filesize
336KB

Download
memory/2456-121-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2456-125-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2456-118-0x0000000075190000-0x00000000751E4000-memory.dmp

Filesize
336KB

Download
memory/2456-117-0x00007FFF34EE0000-0x00007FFF350E9000-memory.dmp

Filesize
2.0MB

Download
memory/3104-130-0x0000000075190000-0x00000000751E4000-memory.dmp

Filesize
336KB

Download
memory/3104-128-0x00007FFF34EE0000-0x00007FFF350E9000-memory.dmp

Filesize
2.0MB

Download
memory/3260-17-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/3260-10-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/3928-68-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4504-101-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/4504-102-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/4504-98-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/4504-103-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/4504-105-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/4504-107-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/4504-93-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/4504-79-0x0000000074860000-0x00000000748B4000-memory.dmp

Filesize
336KB

Download
memory/4504-81-0x00007FFF34EE0000-0x00007FFF350E9000-memory.dmp

Filesize
2.0MB

Download
memory/4684-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4684-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4684-21-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4892-80-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4892-13-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4892-15-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download