02a5539413662612285c1fb5308524a0580c5526b097fcae06c3cefe860c6aba

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup (2).exe
Size

12.2MB
MD5

3770d31935ff5c06e00217dd6872f8a5
SHA1

1bccbfc5e904e98aadb4900b4fd7a838988481fd
SHA256

02a5539413662612285c1fb5308524a0580c5526b097fcae06c3cefe860c6aba
SHA512

0209889c6a9a11d843163fa271850ff1cf83c067e810130e197d1bbe3955fc8b0291eaba0e3ec74eec47f4ecf403f367181589b89b3868737a517778f13d23a0
SSDEEP

196608:CTcdu8+Fy1kYUd7VUIUo/mglLA1UPrzt4IjXTRqH4CstdCdTXf0Ibmy74g0i:Scdu3Fkk3d7PUo/mgpthjXTXtdaT8gF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Setup (2).tmp

Executes dropped EXE 2 IoCs

pid	Process
4480	Setup (2).tmp
1288	Setup (2).tmp

Loads dropped DLL 2 IoCs

pid	Process
4480	Setup (2).tmp
1288	Setup (2).tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1288	Setup (2).tmp
1288	Setup (2).tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1288	Setup (2).tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4480	880	Setup (2).exe	84
PID 880 wrote to memory of 4480	880	Setup (2).exe	84
PID 880 wrote to memory of 4480	880	Setup (2).exe	84
PID 4480 wrote to memory of 2912	4480	Setup (2).tmp	86
PID 4480 wrote to memory of 2912	4480	Setup (2).tmp	86
PID 4480 wrote to memory of 2912	4480	Setup (2).tmp	86
PID 2912 wrote to memory of 1288	2912	Setup (2).exe	88
PID 2912 wrote to memory of 1288	2912	Setup (2).exe	88
PID 2912 wrote to memory of 1288	2912	Setup (2).exe	88

C:\Users\Admin\AppData\Local\Temp\Setup (2).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (2).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\is-2HFM5.tmp\Setup (2).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2HFM5.tmp\Setup (2).tmp" /SL5="$120066,4629198,799232,C:\Users\Admin\AppData\Local\Temp\Setup (2).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\Setup (2).exe
    "C:\Users\Admin\AppData\Local\Temp\Setup (2).exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\is-E2C5P.tmp\Setup (2).tmp
      "C:\Users\Admin\AppData\Local\Temp\is-E2C5P.tmp\Setup (2).tmp" /SL5="$130066,4629198,799232,C:\Users\Admin\AppData\Local\Temp\Setup (2).exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-2HFM5.tmp\Setup (2).tmp

Filesize
3.0MB

MD5
eae4c9da7c6bd5d4d529fe98a3796856

SHA1
395e1b5cad44f2136c38ac9b64b726649a9cb33c

SHA256
0bff7f7d82d0e5950892f7bc349b1ea6f000122de195144643084652153457fc

SHA512
ab2cbd4c1c34b608989fab83d2ce5e847445778985621790bad3fe0b16772017614c788b4ef66d60330f3e04508fcf27da0279f99fefb31330ffe9934612ef23

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-41MV1.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/880-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/880-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/880-19-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1288-27-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1288-36-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2912-15-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2912-13-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2912-39-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4480-8-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4480-17-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download