f271a5bbe7af7ddb0f5e027b608ad4bf8541f656d9b3c0be2bbc38f19a51abce

Resubmissions

Analysis

max time kernel
212s
max time network
280s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
04/06/2024, 19:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Setup (7).exe
Size

15.5MB
MD5

9ef75fa00bbcc247ef288e0f770463f2
SHA1

fed2fe08b1ae92b1f1a34781c5f8a6e120fc06ac
SHA256

f271a5bbe7af7ddb0f5e027b608ad4bf8541f656d9b3c0be2bbc38f19a51abce
SHA512

7ba7419bd3cc16185144368697e56711de03031a6523c2d9f8bda9824fad9d17319e19809630e65aaa244d405f731f8fc5a71b1f9363e1fb929e074a8b880d03
SSDEEP

393216:V4KVNdjjTC4+hH7P6a82Jsv6tWKFdu9CJ8:JfC4y6f

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4880	Setup (7).tmp
2784	Setup (7).tmp

Loads dropped DLL 2 IoCs

pid	Process
4880	Setup (7).tmp
2784	Setup (7).tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	Setup (7).tmp
2784	Setup (7).tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2784	Setup (7).tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 4880	3116	Setup (7).exe	78
PID 3116 wrote to memory of 4880	3116	Setup (7).exe	78
PID 3116 wrote to memory of 4880	3116	Setup (7).exe	78
PID 4880 wrote to memory of 4220	4880	Setup (7).tmp	79
PID 4880 wrote to memory of 4220	4880	Setup (7).tmp	79
PID 4880 wrote to memory of 4220	4880	Setup (7).tmp	79
PID 4220 wrote to memory of 2784	4220	Setup (7).exe	80
PID 4220 wrote to memory of 2784	4220	Setup (7).exe	80
PID 4220 wrote to memory of 2784	4220	Setup (7).exe	80

C:\Users\Admin\AppData\Local\Temp\Setup (7).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (7).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\is-NLNNA.tmp\Setup (7).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NLNNA.tmp\Setup (7).tmp" /SL5="$500DA,3955198,832512,C:\Users\Admin\AppData\Local\Temp\Setup (7).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\Setup (7).exe
    "C:\Users\Admin\AppData\Local\Temp\Setup (7).exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\is-TT0FS.tmp\Setup (7).tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TT0FS.tmp\Setup (7).tmp" /SL5="$600DA,3955198,832512,C:\Users\Admin\AppData\Local\Temp\Setup (7).exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GEKC8.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NLNNA.tmp\Setup (7).tmp

Filesize
3.1MB

MD5
46a43893f81496a8a885e061b9e72d8f

SHA1
fed4bdc6cfd1a4652a6a9a2389722000d964ffc2

SHA256
247f379e1e0e3307162f19ea1fdb0aac60b6b9a284f8929a7207ddc389e4e9b1

SHA512
e366a082c9ae050696574c6496698bef46cb718bb4ff4febbb25781704f48e0a7459c9075f47f68899e5db6bad939324ab05ca4d169f6d62b68835283dab447d

Download Submit
memory/2784-27-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2784-36-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3116-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3116-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3116-19-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4220-13-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4220-15-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4220-39-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4880-10-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4880-17-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download