f9e7d7ea90729122761d00d7e48945aa4e6094526c6fb551e6cc9f690ac2e671

Analysis

max time kernel
68s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-06-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#!!SetUp_PassW0rd$$__11064.rar
Size

9.8MB
MD5

2f6f383688540af21e122f29798d47a4
SHA1

8a1c28403ff2e92acddac733d3658624a50bc3fe
SHA256

d179b193451aa412053f2b45f0b83023f897776d1d0c82665cdd9c86713bbc1b
SHA512

3086499c568379cd8857fa0b4e8da052cd8b831a2cc214b90e37ed20e602e0c6443dd2ada017c2f823db9302fcb3dcdd3a86c2aabf5b24d2e2971d7c1e794b04
SSDEEP

196608:7bK0ebPGxqKkM53ikFi70KXU1nkOOMXSq/SW39gje/avZC7:7aPi3kM53ikFq0mAnROMXb//3GCGk7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2556	Setup.exe
2616	Setup.tmp
2536	Setup.exe
2396	Setup.tmp
2632	UnRAR.exe
2316	SpyShelter.exe
1444	SpyShelter.exe

Loads dropped DLL 25 IoCs

pid	Process
2556	Setup.exe
2616	Setup.tmp
2536	Setup.exe
2396	Setup.tmp
2572	Process not Found
2396	Setup.tmp
2316	SpyShelter.exe
2316	SpyShelter.exe
2316	SpyShelter.exe
2316	SpyShelter.exe
2316	SpyShelter.exe
2316	SpyShelter.exe
2316	SpyShelter.exe
2316	SpyShelter.exe
2316	SpyShelter.exe
1444	SpyShelter.exe
1444	SpyShelter.exe
1444	SpyShelter.exe
1444	SpyShelter.exe
1444	SpyShelter.exe
1444	SpyShelter.exe
1444	SpyShelter.exe
1444	SpyShelter.exe
3048	cmd.exe
588	mt2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 3048	1444	SpyShelter.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2396	Setup.tmp
2396	Setup.tmp
2716	7zFM.exe
2716	7zFM.exe
2716	7zFM.exe
2716	7zFM.exe
1444	SpyShelter.exe
2716	7zFM.exe
3048	cmd.exe
3048	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2716	7zFM.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1444	SpyShelter.exe
3048	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2716	7zFM.exe
Token: 35	2716	7zFM.exe
Token: SeSecurityPrivilege	2716	7zFM.exe
Token: SeSecurityPrivilege	2716	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2716	7zFM.exe
2716	7zFM.exe
2396	Setup.tmp
2716	7zFM.exe
2716	7zFM.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2716	2004	cmd.exe	29
PID 2004 wrote to memory of 2716	2004	cmd.exe	29
PID 2004 wrote to memory of 2716	2004	cmd.exe	29
PID 2716 wrote to memory of 2556	2716	7zFM.exe	30
PID 2716 wrote to memory of 2556	2716	7zFM.exe	30
PID 2716 wrote to memory of 2556	2716	7zFM.exe	30
PID 2716 wrote to memory of 2556	2716	7zFM.exe	30
PID 2716 wrote to memory of 2556	2716	7zFM.exe	30
PID 2716 wrote to memory of 2556	2716	7zFM.exe	30
PID 2716 wrote to memory of 2556	2716	7zFM.exe	30
PID 2556 wrote to memory of 2616	2556	Setup.exe	31
PID 2556 wrote to memory of 2616	2556	Setup.exe	31
PID 2556 wrote to memory of 2616	2556	Setup.exe	31
PID 2556 wrote to memory of 2616	2556	Setup.exe	31
PID 2556 wrote to memory of 2616	2556	Setup.exe	31
PID 2556 wrote to memory of 2616	2556	Setup.exe	31
PID 2556 wrote to memory of 2616	2556	Setup.exe	31
PID 2616 wrote to memory of 2536	2616	Setup.tmp	32
PID 2616 wrote to memory of 2536	2616	Setup.tmp	32
PID 2616 wrote to memory of 2536	2616	Setup.tmp	32
PID 2616 wrote to memory of 2536	2616	Setup.tmp	32
PID 2616 wrote to memory of 2536	2616	Setup.tmp	32
PID 2616 wrote to memory of 2536	2616	Setup.tmp	32
PID 2616 wrote to memory of 2536	2616	Setup.tmp	32
PID 2536 wrote to memory of 2396	2536	Setup.exe	33
PID 2536 wrote to memory of 2396	2536	Setup.exe	33
PID 2536 wrote to memory of 2396	2536	Setup.exe	33
PID 2536 wrote to memory of 2396	2536	Setup.exe	33
PID 2536 wrote to memory of 2396	2536	Setup.exe	33
PID 2536 wrote to memory of 2396	2536	Setup.exe	33
PID 2536 wrote to memory of 2396	2536	Setup.exe	33
PID 2396 wrote to memory of 2632	2396	Setup.tmp	34
PID 2396 wrote to memory of 2632	2396	Setup.tmp	34
PID 2396 wrote to memory of 2632	2396	Setup.tmp	34
PID 2396 wrote to memory of 2632	2396	Setup.tmp	34
PID 2396 wrote to memory of 2316	2396	Setup.tmp	36
PID 2396 wrote to memory of 2316	2396	Setup.tmp	36
PID 2396 wrote to memory of 2316	2396	Setup.tmp	36
PID 2396 wrote to memory of 2316	2396	Setup.tmp	36
PID 2316 wrote to memory of 1444	2316	SpyShelter.exe	37
PID 2316 wrote to memory of 1444	2316	SpyShelter.exe	37
PID 2316 wrote to memory of 1444	2316	SpyShelter.exe	37
PID 1444 wrote to memory of 3048	1444	SpyShelter.exe	38
PID 1444 wrote to memory of 3048	1444	SpyShelter.exe	38
PID 1444 wrote to memory of 3048	1444	SpyShelter.exe	38
PID 1444 wrote to memory of 3048	1444	SpyShelter.exe	38
PID 1444 wrote to memory of 3048	1444	SpyShelter.exe	38
PID 3048 wrote to memory of 588	3048	cmd.exe	42
PID 3048 wrote to memory of 588	3048	cmd.exe	42
PID 3048 wrote to memory of 588	3048	cmd.exe	42
PID 3048 wrote to memory of 588	3048	cmd.exe	42
PID 3048 wrote to memory of 588	3048	cmd.exe	42
PID 3048 wrote to memory of 588	3048	cmd.exe	42

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\#!!SetUp_PassW0rd$$__11064.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#!!SetUp_PassW0rd$$__11064.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\7zOC9A973A6\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC9A973A6\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\is-KVQMC.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-KVQMC.tmp\Setup.tmp" /SL5="$401C8,9148414,791552,C:\Users\Admin\AppData\Local\Temp\7zOC9A973A6\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\7zOC9A973A6\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zOC9A973A6\Setup.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\is-1440M.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1440M.tmp\Setup.tmp" /SL5="$50190,9148414,791552,C:\Users\Admin\AppData\Local\Temp\7zOC9A973A6\Setup.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\is-024E6.tmp\UnRAR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-024E6.tmp\\UnRAR.exe" x -pVX#YC6 -o+ "C:\Users\Admin\AppData\Local\\ConfigUpdatev3\\config\\\EWRTGHCFVJB.rar" "C:\Users\Admin\AppData\Local\\ConfigUpdatev3\\config\\"
        7⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\ConfigUpdatev3\config\SpyShelter.exe
        
        "C:\Users\Admin\AppData\Local\ConfigUpdatev3\config\SpyShelter.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\ControlScan\SpyShelter.exe
        
        C:\Users\Admin\AppData\Roaming\ControlScan\SpyShelter.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        9⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\mt2.exe
        
        C:\Users\Admin\AppData\Local\Temp\mt2.exe
        10⤵
        Loads dropped DLL
        
        PID:588

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ConfigUpdatev3\config\EWRTGHCFVJB.rar

Filesize
7.5MB

MD5
41db01ddad7e015ae17bf17dd0185189

SHA1
97380e63ccedc9f309999285a412607a4d31b0fd

SHA256
2923676c063602e903f71daf3daf0b22155225b8887e8e29b310099a7a514264

SHA512
794acca587e679c916e14e2449af14824944227e22bb2ce56280f4dc9aecac9dc04dadbc1fefd12979be1cac98cdb6bdaef06a04499b4102df0343cb4c17bd98

Download Submit
C:\Users\Admin\AppData\Local\ConfigUpdatev3\config\SpyShelter.exe

Filesize
316KB

MD5
c637e5ecf625b72f4bef9d28cd81d612

SHA1
a2c1329d290e508ee9fd0eb81e7f25d57e450f8c

SHA256
111c56593668be63e1e0c79a2d33d9e2d49cdf0c5100663c72045bc6b76e9fe6

SHA512
727d78bab4fab3674eec92ca5f07df6a0095ab3b973dd227c599c70e8493592bb53bb9208cc6270713283ef0065acfad3203ddcf4dcb6d43f8727f09ceaaf2e4

Download Submit
C:\Users\Admin\AppData\Local\ConfigUpdatev3\config\draw.m4a

Filesize
1.6MB

MD5
296a63afdc7b07cea46fd2892ef61fa4

SHA1
390ba66173eddf43b0ea2256db59c5b167f13d53

SHA256
aaf2a239b5cfa54a096ef1b03cf217111ae9b400c8e0fcc340202742a0acf883

SHA512
6c65d05d09d701d49938fb74b71ffbee94be74ecd8344646c383b46f2b53fcb70ca544c35e1fa2f688efbe6af2663e5e84e4bb3d6a75e214e74bca5f111b0667

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC9A973A6\Setup.exe

Filesize
10.6MB

MD5
7712c9edae789a8e6acae3aa5054c687

SHA1
dea527f4545b63dccaa0f7765538ff9105a56fd8

SHA256
2472d082884a141ee79ebdf88f984bea7abeb51911c8cb83f432759d69e9ac60

SHA512
e862be29c57c1eac31d4bd7928c7cfcbba94e29de149dcd02f229d438ea9156c8e4da25b718c32dbf61c3b3235c94901f450dd3b484b02a3b025bf49b4f76713

Download Submit
C:\Users\Admin\AppData\Local\Temp\843d8347

Filesize
2.4MB

MD5
a17810b885d51c8d9c575e3ae7b917db

SHA1
f45d2234835fd795011a9f0d71b90ffeae679c4e

SHA256
d58048f764a8a3b4c857cca232d9ed06f1478b99b5c9446a1a2fb1f4f1b2fcf9

SHA512
af3198e3a76c4fb2a16fe866bd214df2f36f1b818b0e3384a402abfdacb1a59d77ae98ca907c8ea20e3df8b3df3c8228c22de9ef02817acc85374e6a43485c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQMC.tmp\Setup.tmp

Filesize
3.0MB

MD5
36ca93d9a04036f285674ed581e92088

SHA1
42fee30bb9301a4fb069da9ae2f8076098ed860a

SHA256
f42413c68f345048a903b6773a34ea4668f41ca9381b14ff50f1d543ffa41e4d

SHA512
d345de2d425e4f0fe1c66a9788b242cf821028091320baf17dd584a0200bf6763543fc1ce1feea481cc1bca044e03f1fba6933fe0dc12b9b68c3c1154faf206e

Download Submit
\Users\Admin\AppData\Local\ConfigUpdatev3\config\flutter_desktop_sleep_plugin.dll

Filesize
91KB

MD5
ae8bbd77a997d05c06e459f0f3faa5af

SHA1
843ae129debba252eaebce0459adccddc1315826

SHA256
9600697c57da5a1411a227eb5fc135f20d0ea292f458290d15fb959c1f75537e

SHA512
13067ed69244f94206e642b408143409b48fb976221dbbbbdd86f0b357a8b7b0cad334a6259751a718f2149e183d322bb8b03e26abff2cdcac2826a551e27d2f

Download Submit
\Users\Admin\AppData\Local\ConfigUpdatev3\config\flutter_windows.dll

Filesize
17.4MB

MD5
c83a421b7bd1397363fa51362110c91e

SHA1
beaf291c1852ad8a9e9827539228cfe17b8b660b

SHA256
9217428eb65fe60eac0c965bafd241d2f1efa8f14b6cc292e260b356c2d7220e

SHA512
f77f0dffa1dee3d7554559316f9e5803a77cab71bf03f6773953a8cd0fa2a718c5af4aa7d7790046a5cd275b769cbfeb14a1849af4840fa37d6ef0d1f434af91

Download Submit
\Users\Admin\AppData\Local\ConfigUpdatev3\config\msvcp140.dll

Filesize
564KB

MD5
1ba6d1cf0508775096f9e121a24e5863

SHA1
df552810d779476610da3c8b956cc921ed6c91ae

SHA256
74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

SHA512
9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

Download Submit
\Users\Admin\AppData\Local\ConfigUpdatev3\config\tray_manager_plugin.dll

Filesize
113KB

MD5
65dcbb76cbb2bbb1684186f1520e888d

SHA1
25d656c1cb3c814776779bc53e0e2b937d8441f4

SHA256
9c7e0de576932c8b2149849c96f3493bcae215f6db5996dbaf5ae1788697e8f0

SHA512
e351547e551943db0267828e283797c81b593ec303cee4d4447226e86927acac93b87226e79e1a913a1ec397b4183b7ee81a2af8764f71d7fa73c41bb102d9ca

Download Submit
\Users\Admin\AppData\Local\ConfigUpdatev3\config\url_launcher_windows_plugin.dll

Filesize
92KB

MD5
7e6a40e0083af22b186b662553d679fc

SHA1
b74c38d1d33004fb27b1df8003ecd4b87a5739c1

SHA256
578323ec0b492e72987778af3811cd00b71171b1e84b92e720964543f8f3a183

SHA512
3ac74e807bddffc2965cb3878a51e5c7c3b5eab2dcf8bc1ffaa41a56e20460cd01ff6b9a00d78e1aa021f5b9c38ba4f4726d37bf42749da4fa208e3f8985c114

Download Submit
\Users\Admin\AppData\Local\ConfigUpdatev3\config\vcruntime140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
\Users\Admin\AppData\Local\ConfigUpdatev3\config\vcruntime140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
\Users\Admin\AppData\Local\ConfigUpdatev3\config\windows_single_instance_plugin.dll

Filesize
82KB

MD5
00c451a17ddfcd810086fb2ad794125a

SHA1
feba77a0ca91f828099a3444a93ff11b6ce40fe5

SHA256
f1430479210c19093d76435e5826e3578420933248b51164e11f0992f77ed1f1

SHA512
6ea4d2556e0b82d017cde2a3c5c9b2881daca6b5af0e92cd10be886047eb6303085244ac1bb764e96595b3ca448504591c976dfefbffca8c6cbabe28f81e78c3

Download Submit
\Users\Admin\AppData\Local\Temp\is-024E6.tmp\UnRAR.exe

Filesize
494KB

MD5
98ccd44353f7bc5bad1bc6ba9ae0cd68

SHA1
76a4e5bf8d298800c886d29f85ee629e7726052d

SHA256
e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

SHA512
d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

Download Submit
\Users\Admin\AppData\Local\Temp\mt2.exe

Filesize
1.4MB

MD5
9f67479b4c77dbbb380b23b813e5485f

SHA1
a827cba61914df8dcad8e2ecdad7b506c88b55f8

SHA256
a31132c9fd2d825ef1e5dfaa9f750d18b935810b87e0f560f7cb4369002064bd

SHA512
163b7fddc90816fb81ffbcde3f148c392a98e632653302882bdeb24dc798fc0526089800f21dcfa6c626dbd4e08549a929be24b970af291d997bd6405186eda9

Download Submit
memory/588-158-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/588-159-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/588-155-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/588-156-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2396-95-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2536-98-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2536-48-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2556-61-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2556-36-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2616-47-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/3048-148-0x0000000074990000-0x0000000074B04000-memory.dmp

Filesize
1.5MB

Download
memory/3048-145-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download