Resubmissions

12/06/2024, 18:34

240612-w742tavfrd 7

12/06/2024, 18:33

240612-w7cmkayfrj 7

Analysis

  • max time kernel
    592s
  • max time network
    360s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 18:33

General

  • Target

    Setup.exe

  • Size

    9.8MB

  • MD5

    2cf71e22becf0ef89a881838c6421d21

  • SHA1

    ff0a5c9c614ac65730bea453b2a8f5d1295c909f

  • SHA256

    05b5395c452dc7f18e98d029111b2e93b53b342af75e701f0bd301cc7dac2d9f

  • SHA512

    fec7aa9d3091a9531a37ee3ae504635088eb5225068f9e8dc9765fe71da35ec3627cb3eb27bb0ce76f7dec593f73a46e7a347420729a0283a4036191bcef1ef1

  • SSDEEP

    196608:bhHh86KKAqxihfpkLwngFdk6yjFPMHeDuEiwSKjTrNCFc:dHb1AthfpUqlF2eL5S0Nyc

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Local\Temp\is-OE19M.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OE19M.tmp\Setup.tmp" /SL5="$50126,791552,0,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Users\Admin\AppData\Local\Temp\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Users\Admin\AppData\Local\Temp\is-54LQO.tmp\Setup.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-54LQO.tmp\Setup.tmp" /SL5="$80120,791552,0,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\is-OE19M.tmp\Setup.tmp

    Filesize

    3.0MB

    MD5

    31c0e65dc89f93a59b404edec82218ad

    SHA1

    3ed86b50d2ec5c276f5f4e0f8d6ddd51f97c1e24

    SHA256

    0a64b5242f45bb147c607301b49f4c71380d5d9e56e3cf30ae9742681f0988c3

    SHA512

    74e9e7c7eec1dcdb282601e8d4c21bdb7d2ea212f8aa51dcec5d60aa16b713e6ba10ec8f292258b0e742c0c3dcd8aaf05fcb5a6b6eea649740247a86df1725fa

  • memory/1264-24-0x0000000000400000-0x000000000070A000-memory.dmp

    Filesize

    3.0MB

  • memory/2172-2-0x0000000000401000-0x00000000004B7000-memory.dmp

    Filesize

    728KB

  • memory/2172-0-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

  • memory/2172-22-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

  • memory/2368-9-0x0000000000400000-0x000000000070A000-memory.dmp

    Filesize

    3.0MB

  • memory/2368-14-0x0000000000400000-0x000000000070A000-memory.dmp

    Filesize

    3.0MB

  • memory/2548-12-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

  • memory/2548-23-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB