f271a5bbe7af7ddb0f5e027b608ad4bf8541f656d9b3c0be2bbc38f19a51abce

Resubmissions

Analysis

max time kernel
291s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 19:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Setup (7).exe
Size

15.5MB
MD5

9ef75fa00bbcc247ef288e0f770463f2
SHA1

fed2fe08b1ae92b1f1a34781c5f8a6e120fc06ac
SHA256

f271a5bbe7af7ddb0f5e027b608ad4bf8541f656d9b3c0be2bbc38f19a51abce
SHA512

7ba7419bd3cc16185144368697e56711de03031a6523c2d9f8bda9824fad9d17319e19809630e65aaa244d405f731f8fc5a71b1f9363e1fb929e074a8b880d03
SSDEEP

393216:V4KVNdjjTC4+hH7P6a82Jsv6tWKFdu9CJ8:JfC4y6f

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Setup (7).tmp

Executes dropped EXE 2 IoCs

pid	Process
3128	Setup (7).tmp
1460	Setup (7).tmp

Loads dropped DLL 2 IoCs

pid	Process
3128	Setup (7).tmp
1460	Setup (7).tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1460	Setup (7).tmp
1460	Setup (7).tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1460	Setup (7).tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 3128	1108	Setup (7).exe	91
PID 1108 wrote to memory of 3128	1108	Setup (7).exe	91
PID 1108 wrote to memory of 3128	1108	Setup (7).exe	91
PID 3128 wrote to memory of 5108	3128	Setup (7).tmp	92
PID 3128 wrote to memory of 5108	3128	Setup (7).tmp	92
PID 3128 wrote to memory of 5108	3128	Setup (7).tmp	92
PID 5108 wrote to memory of 1460	5108	Setup (7).exe	93
PID 5108 wrote to memory of 1460	5108	Setup (7).exe	93
PID 5108 wrote to memory of 1460	5108	Setup (7).exe	93

C:\Users\Admin\AppData\Local\Temp\Setup (7).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (7).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\is-343HM.tmp\Setup (7).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-343HM.tmp\Setup (7).tmp" /SL5="$801DC,3955198,832512,C:\Users\Admin\AppData\Local\Temp\Setup (7).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\Setup (7).exe
    "C:\Users\Admin\AppData\Local\Temp\Setup (7).exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\is-4A9R4.tmp\Setup (7).tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4A9R4.tmp\Setup (7).tmp" /SL5="$801DE,3955198,832512,C:\Users\Admin\AppData\Local\Temp\Setup (7).exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-343HM.tmp\Setup (7).tmp

Filesize
3.1MB

MD5
46a43893f81496a8a885e061b9e72d8f

SHA1
fed4bdc6cfd1a4652a6a9a2389722000d964ffc2

SHA256
247f379e1e0e3307162f19ea1fdb0aac60b6b9a284f8929a7207ddc389e4e9b1

SHA512
e366a082c9ae050696574c6496698bef46cb718bb4ff4febbb25781704f48e0a7459c9075f47f68899e5db6bad939324ab05ca4d169f6d62b68835283dab447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C1RVJ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1108-21-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1108-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1108-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1108-11-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1460-36-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1460-26-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3128-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3128-18-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5108-16-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5108-14-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5108-38-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download